CVE-2023-50269

NameCVE-2023-50269
DescriptionSquid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3709-1, DSA-5637-1, ELA-1037-1
Debian Bugs1058721

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster (security), buster, buster (lts)4.6-1+deb10u10fixed
bullseye (security), bullseye4.13-10+deb11u3fixed
bookworm (security), bookworm5.7-2+deb12u2fixed
sid, trixie6.12-1fixed
squid3 (PTS)jessie, jessie (lts)3.5.23-5+deb8u7fixed
stretch (security)3.5.23-5+deb9u7vulnerable
stretch (lts), stretch3.5.23-5+deb9u10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsourcebuster4.6-1+deb10u9DLA-3709-1
squidsourcebullseye4.13-10+deb11u3DSA-5637-1
squidsourcebookworm5.7-2+deb12u1DSA-5637-1
squidsource(unstable)6.6-11058721
squid3sourcejessie3.5.23-5+deb8u7ELA-1037-1
squid3sourcestretch3.5.23-5+deb9u10ELA-1037-1
squid3source(unstable)(unfixed)

Notes

https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3
http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch
Search for package or bug name: Reporting problems