Updated: 2024-11-22 04:15:14.650957
Description:
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured with "collapsed_forwarding on" are vulnerable. Configurations with "collapsed_forwarding off" or without a "collapsed_forwarding" directive are not vulnerable. This bug is fixed by Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should remove all collapsed_forwarding lines from their squid.conf.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | HIGH | 7.5 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | squid | 5.5 | 7.5 | HIGH | In Progress | 2024-12-03 05:30:38 | Squid upstream doesn't provide any designated patch set for the fix of this CVE. The general recomme... | |
CentOS 8.4 ELS | squid | 4.11-4 | 7.5 | HIGH | Needs Triage | 2024-11-12 16:57:51 | Squid upstream doesn't provide any designated patch set for the fix of this CVE. The general recomme... | |
CentOS 8.5 ELS | squid | 4.15-1 | 7.5 | HIGH | Needs Triage | 2024-11-12 16:57:51 | Squid upstream doesn't provide any designated patch set for the fix of this CVE. The general recomme... | |
Ubuntu 16.04 ELS | squid | 3.5.12-1 | 7.5 | HIGH | Released | CLSA-2024:1716272474 | 2024-05-21 05:41:36 | Squid upstream doesn't provide any designated patch set for the fix of this CVE. The general recomme... |
Ubuntu 18.04 ELS | squid | 3.5.27-1 | 7.5 | HIGH | Released | CLSA-2024:1714462008 | 2024-04-30 05:09:12 | Squid upstream doesn't provide any designated patch set for the fix of this CVE. The general recomme... |