CVE-2022-41317

NameCVE-2022-41317
DescriptionAn issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3151-1, DSA-5258-1, ELA-743-1
Debian Bugs1020587

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster4.6-1+deb10u7vulnerable
buster (security)4.6-1+deb10u10fixed
bullseye (security), bullseye4.13-10+deb11u2fixed
bookworm5.7-2fixed
sid, trixie6.6-1fixed
squid3 (PTS)jessie, jessie (lts)3.5.23-5+deb8u7fixed
stretch (security)3.5.23-5+deb9u7vulnerable
stretch (lts), stretch3.5.23-5+deb9u10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsourcebuster4.6-1+deb10u8DLA-3151-1
squidsourcebullseye4.13-10+deb11u2DSA-5258-1
squidsource(unstable)5.7-11020587
squid3sourcejessie3.5.23-5+deb8u6ELA-743-1
squid3sourcestretch3.5.23-5+deb9u9ELA-743-1
squid3source(unstable)(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2022/09/23/1
Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch
Squid 5: http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch (5.7)

Search for package or bug name: Reporting problems