Debian Bug report logs -
#1055252
squid: CVE-2023-46724: SQUID-2023:4 Denial of Service in SSL Certificate validation
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#1055252; Package src:squid.
(Thu, 02 Nov 2023 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Luigi Gangitano <luigi@debian.org>.
(Thu, 02 Nov 2023 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: squid
Version: 6.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for squid.
CVE-2023-46724[0]:
| Squid is a caching proxy for the Web. Due to an Improper Validation
| of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0
| prior to 6.4 compiled using `--with-openssl` are vulnerable to a
| Denial of Service attack against SSL Certificate validation. This
| problem allows a remote server to perform Denial of Service against
| Squid Proxy by initiating a TLS Handshake with a specially crafted
| SSL Certificate in a server certificate chain. This attack is
| limited to HTTPS and SSL-Bump. This bug is fixed in Squid version
| 6.4. In addition, patches addressing this problem for the stable
| releases can be found in Squid's patch archives. Those who you use a
| prepackaged version of Squid should refer to the package vendor for
| availability information on updated packages.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46724
https://www.cve.org/CVERecord?id=CVE-2023-46724
[1] https://github.com/squid-cache/squid/commit/792ef23e6e1c05780fe17f733859eef6eb8c8be3
[2] https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html
[3] https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Nov 3 17:55:38 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon