squid-6.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13398 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z squid-6.4-1.1 on GA media These are all security issues fixed in the squid-6.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13398 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13398 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-46724/ SUSE CVE CVE-2023-46724 page https://www.suse.com/security/cve/CVE-2023-46846/ SUSE CVE CVE-2023-46846 page https://www.suse.com/security/cve/CVE-2023-46847/ SUSE CVE CVE-2023-46847 page https://www.suse.com/security/cve/CVE-2023-46848/ SUSE CVE CVE-2023-46848 page https://www.suse.com/security/cve/CVE-2023-5824/ SUSE CVE CVE-2023-5824 page openSUSE Tumbleweed squid-6.4-1.1 squid-6.4-1.1 as a component of openSUSE Tumbleweed Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. CVE-2023-46724 openSUSE Tumbleweed:squid-6.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46724.html CVE-2023-46724 https://bugzilla.suse.com/1216803 SUSE Bug 1216803 SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems. CVE-2023-46846 openSUSE Tumbleweed:squid-6.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46846.html CVE-2023-46846 https://bugzilla.suse.com/1216500 SUSE Bug 1216500 Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. CVE-2023-46847 openSUSE Tumbleweed:squid-6.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46847.html CVE-2023-46847 https://bugzilla.suse.com/1216495 SUSE Bug 1216495 Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input. CVE-2023-46848 openSUSE Tumbleweed:squid-6.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46848.html CVE-2023-46848 https://bugzilla.suse.com/1216498 SUSE Bug 1216498 Squid is vulnerable to Denial of Service attack against HTTP and HTTPS clients due to an Improper Handling of Structural Elements bug. CVE-2023-5824 openSUSE Tumbleweed:squid-6.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5824.html CVE-2023-5824 https://bugzilla.suse.com/1216496 SUSE Bug 1216496