CVE-2023-49285

Name	CVE-2023-49285
Description	Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3709-1, DSA-5637-1, ELA-1037-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
squid (PTS)	buster	4.6-1+deb10u7	vulnerable
	buster (security)	4.6-1+deb10u10	fixed
	bullseye	4.13-10+deb11u2	vulnerable
	bullseye (security)	4.13-10+deb11u3	fixed
	bookworm	5.7-2	vulnerable
	bookworm (security)	5.7-2+deb12u1	fixed
	trixie	6.6-1	fixed
	sid	6.9-1	fixed
squid3 (PTS)	jessie, jessie (lts)	3.5.23-5+deb8u7	fixed
	stretch (security)	3.5.23-5+deb9u7	vulnerable
	stretch (lts), stretch	3.5.23-5+deb9u10	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
squid	source	buster	4.6-1+deb10u9		DLA-3709-1
squid	source	bullseye	4.13-10+deb11u3		DSA-5637-1
squid	source	bookworm	5.7-2+deb12u1		DSA-5637-1
squid	source	(unstable)	6.5-1	low
squid3	source	jessie	3.5.23-5+deb8u7		ELA-1037-1
squid3	source	stretch	3.5.23-5+deb9u10		ELA-1037-1
squid3	source	(unstable)	(unfixed)

Notes

https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9
https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b (v5 branch)
http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch
https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470 (SQUID_6_5)
http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch