Security update for squid SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:4380-1 Final 1 1 2023-11-06T15:51:25Z current 2023-11-06T15:51:25Z 2023-11-06T15:51:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: - CVE-2023-46846: Request/Response smuggling in HTTP/1.1 and ICAP (bsc#1216500). - CVE-2023-46847: Denial of Service in HTTP Digest Authentication (bsc#1216495). - CVE-2023-46724: Fix validation of certificates with CN=* (bsc#1216803). - CVE-2023-46848: Denial of Service in FTP (bsc#1216498). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP4-Manager-Proxy-4-3-BYOS-2023-4380,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure-2023-4380,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2-2023-4380,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE-2023-4380,SUSE-2023-4380,SUSE-SLE-Module-Server-Applications-15-SP4-2023-4380,SUSE-SLE-Module-Server-Applications-15-SP5-2023-4380,openSUSE-SLE-15.4-2023-4380,openSUSE-SLE-15.5-2023-4380 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20234380-1/ Link for SUSE-SU-2023:4380-1 https://lists.suse.com/pipermail/sle-security-updates/2023-November/017003.html E-Mail link for SUSE-SU-2023:4380-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216495 SUSE Bug 1216495 https://bugzilla.suse.com/1216498 SUSE Bug 1216498 https://bugzilla.suse.com/1216500 SUSE Bug 1216500 https://bugzilla.suse.com/1216803 SUSE Bug 1216803 https://www.suse.com/security/cve/CVE-2023-46724/ SUSE CVE CVE-2023-46724 page https://www.suse.com/security/cve/CVE-2023-46846/ SUSE CVE CVE-2023-46846 page https://www.suse.com/security/cve/CVE-2023-46847/ SUSE CVE CVE-2023-46847 page https://www.suse.com/security/cve/CVE-2023-46848/ SUSE CVE CVE-2023-46848 page Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 squid-5.7-150400.3.12.1 squid-5.7-150400.3.12.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS squid-5.7-150400.3.12.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure squid-5.7-150400.3.12.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 squid-5.7-150400.3.12.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE squid-5.7-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 squid-5.7-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 squid-5.7-150400.3.12.1 as a component of openSUSE Leap 15.4 squid-5.7-150400.3.12.1 as a component of openSUSE Leap 15.5 Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. CVE-2023-46724 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP5:squid-5.7-150400.3.12.1 openSUSE Leap 15.4:squid-5.7-150400.3.12.1 openSUSE Leap 15.5:squid-5.7-150400.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234380-1/ https://www.suse.com/security/cve/CVE-2023-46724.html CVE-2023-46724 https://bugzilla.suse.com/1216803 SUSE Bug 1216803 SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems. CVE-2023-46846 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP5:squid-5.7-150400.3.12.1 openSUSE Leap 15.4:squid-5.7-150400.3.12.1 openSUSE Leap 15.5:squid-5.7-150400.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234380-1/ https://www.suse.com/security/cve/CVE-2023-46846.html CVE-2023-46846 https://bugzilla.suse.com/1216500 SUSE Bug 1216500 Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. CVE-2023-46847 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP5:squid-5.7-150400.3.12.1 openSUSE Leap 15.4:squid-5.7-150400.3.12.1 openSUSE Leap 15.5:squid-5.7-150400.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234380-1/ https://www.suse.com/security/cve/CVE-2023-46847.html CVE-2023-46847 https://bugzilla.suse.com/1216495 SUSE Bug 1216495 Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input. CVE-2023-46848 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:squid-5.7-150400.3.12.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:squid-5.7-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP5:squid-5.7-150400.3.12.1 openSUSE Leap 15.4:squid-5.7-150400.3.12.1 openSUSE Leap 15.5:squid-5.7-150400.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234380-1/ https://www.suse.com/security/cve/CVE-2023-46848.html CVE-2023-46848 https://bugzilla.suse.com/1216498 SUSE Bug 1216498