CVE-2024-45802

NameCVE-2024-45802
DescriptionSquid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster (security), buster, buster (lts)4.6-1+deb10u10vulnerable
bullseye (security), bullseye4.13-10+deb11u3vulnerable
bookworm (security), bookworm5.7-2+deb12u2vulnerable
sid, trixie6.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)6.12-1

Notes

https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
Not a code fix, this merely disables ESI by default (and thus in the Debian build)
Upstream disabled ESI support in default builds already in 6.10 but Debian builds
still contained --enable-esi until the 6.12-1 upload.

Search for package or bug name: Reporting problems