Security update for squid SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0298-1 Final 1 1 2024-02-01T12:33:45Z current 2024-02-01T12:33:45Z 2024-02-01T12:33:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: - CVE-2023-50269: fixed X-Forwarded-For Stack Overflow. (bsc#1217654) - CVE-2024-23638: fixed Denial of Service attack against Cache Manager error responses. (bsc#1219131) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-298,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-298,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-298,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-298,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-298,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-298,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-298,SUSE-Storage-7.1-2024-298 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240298-1/ Link for SUSE-SU-2024:0298-1 https://lists.suse.com/pipermail/sle-security-updates/2024-February/017840.html E-Mail link for SUSE-SU-2024:0298-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1217654 SUSE Bug 1217654 https://bugzilla.suse.com/1219131 SUSE Bug 1219131 https://www.suse.com/security/cve/CVE-2023-50269/ SUSE CVE CVE-2023-50269 page https://www.suse.com/security/cve/CVE-2024-23638/ SUSE CVE CVE-2024-23638 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 squid-4.17-150000.5.49.1 squid-4.17-150000.5.49.1 as a component of SUSE Enterprise Storage 7.1 squid-4.17-150000.5.49.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS squid-4.17-150000.5.49.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS squid-4.17-150000.5.49.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS squid-4.17-150000.5.49.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS squid-4.17-150000.5.49.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 squid-4.17-150000.5.49.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. CVE-2023-50269 SUSE Enterprise Storage 7.1:squid-4.17-150000.5.49.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server 15 SP2-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server 15 SP3-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:squid-4.17-150000.5.49.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240298-1/ https://www.suse.com/security/cve/CVE-2023-50269.html CVE-2023-50269 https://bugzilla.suse.com/1217654 SUSE Bug 1217654 Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`. CVE-2024-23638 SUSE Enterprise Storage 7.1:squid-4.17-150000.5.49.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server 15 SP2-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server 15 SP3-LTSS:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:squid-4.17-150000.5.49.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:squid-4.17-150000.5.49.1 moderate 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240298-1/ https://www.suse.com/security/cve/CVE-2024-23638.html CVE-2024-23638 https://bugzilla.suse.com/1219131 SUSE Bug 1219131