Lucene search

K
amazonAmazonALAS-2023-1766
HistoryJun 05, 2023 - 4:39 p.m.

Important: squid

2023-06-0516:39:00
alas.aws.amazon.com
20
squid
http proxy
vulnerabilities
incorrect http request
ntlm authentication
denial of service
red hat
mitre
unix

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

74.6%

Issue Overview:

Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients. (CVE-2016-10003)

An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. (CVE-2020-8517)

Affected Packages:

squid

Issue Correction:
Run yum update squid to update your system.

New Packages:

i686:  
    squid-migration-script-3.5.20-17.48.amzn1.i686  
    squid-debuginfo-3.5.20-17.48.amzn1.i686  
    squid-3.5.20-17.48.amzn1.i686  
  
src:  
    squid-3.5.20-17.48.amzn1.src  
  
x86_64:  
    squid-debuginfo-3.5.20-17.48.amzn1.x86_64  
    squid-migration-script-3.5.20-17.48.amzn1.x86_64  
    squid-3.5.20-17.48.amzn1.x86_64  

Additional References

Red Hat: CVE-2016-10003, CVE-2020-8517

Mitre: CVE-2016-10003, CVE-2020-8517

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

74.6%