CVE-2023-49288

2023-12-0400:00:00

ubuntu.com

squid proxy

use-after-free

denial of service

collapsed forwarding

vulnerability

upgrade

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

7.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.6%

JSON

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.
Affected versions of squid are subject to a a Use-After-Free bug which can
lead to a Denial of Service attack via collapsed forwarding. All versions
of Squid from 3.5 up to and including 5.9 configured with
“collapsed_forwarding on” are vulnerable. Configurations with
“collapsed_forwarding off” or without a “collapsed_forwarding” directive
are not vulnerable. This bug is fixed by Squid version 6.0.1. Users are
advised to upgrade. Users unable to upgrade should remove all
collapsed_forwarding lines from their squid.conf.

Bugs

<https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2060880 (regression)>

Notes

Author	Note
mdeslaur	need to identify commit in 6.0.1…perhaps this one? https://github.com/squid-cache/squid/commit/836d3c0b158f6e7bc795d1e6d881c873d98728e8 or https://github.com/squid-cache/squid/commit/9358e99f998ace9c4c7a21d510432dde5b7f9cca While this is fixed by a yet unidentified commit in 6.0.1, I believe it is also fixed in a different way by the refactoring in the commit to fix CVE-2023-5824. The issue no longer reproduces with the fix for CVE-2023-5824 applied. Ubuntu 20.04 LTS was patched in USN-6728-1, but the fix introduced crashes and was backed out in USN-6728-2.

Author

Note

mdeslaur

need to identify commit in 6.0.1…perhaps this one? https://github.com/squid-cache/squid/commit/836d3c0b158f6e7bc795d1e6d881c873d98728e8 or https://github.com/squid-cache/squid/commit/9358e99f998ace9c4c7a21d510432dde5b7f9cca While this is fixed by a yet unidentified commit in 6.0.1, I believe it is also fixed in a different way by the refactoring in the commit to fix CVE-2023-5824. The issue no longer reproduces with the fix for CVE-2023-5824 applied. Ubuntu 20.04 LTS was patched in USN-6728-1, but the fix introduced crashes and was backed out in USN-6728-2.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchsquid< 4.10-1ubuntu1.12UNKNOWN
ubuntu22.04noarchsquid< 5.7-0ubuntu0.22.04.4UNKNOWN
ubuntu18.04noarchsquid3< anyUNKNOWN
ubuntu16.04noarchsquid3< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	squid	< 4.10-1ubuntu1.12	UNKNOWN
ubuntu	22.04	noarch	squid	< 5.7-0ubuntu0.22.04.4	UNKNOWN
ubuntu	18.04	noarch	squid3	< any	UNKNOWN
ubuntu	16.04	noarch	squid3	< any	UNKNOWN