Bug 1216495 (CVE-2023-46847) - VUL-0: CVE-2023-46847: squid: Denial of Service in HTTP Digest Authentication (SQUID-2023:3)
Summary: VUL-0: CVE-2023-46847: squid: Denial of Service in HTTP Digest Authentication...
Status: NEW
Alias: CVE-2023-46847
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382740/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46847:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-23 11:45 UTC by Alexander Bergmann
Modified: 2023-11-30 09:00 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-10-23 11:45:05 UTC 
https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g

Package: squid
Affected versions: 3.2.0.1-5.9, 6.0-6.3
Patched versions: 6.4

Description:
Due to a buffer overflow bug Squid is vulnerable to a Denial of Service attack against HTTP Digest Authentication

Severity:
This problem allows a remote client to perform buffer overflow
attack writing up to 2 MB of arbitrary data to heap memory
when Squid is configured to accept HTTP Digest Authentication.

On machines with advanced memory protections this will result
in a Denial of Service against all users of the Squid proxy.

CVSS Score of 9.9
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H&version=3.1

Updated Packages:
This bug is fixed by Squid version 6.4.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:

Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2023_3.patch

Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_3.patch

If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Comment 1 Alexander Bergmann 2023-10-26 10:44:10 UTC 
The Squid 5 patch is directly applicable to

- SUSE:SLE-15-SP4:Update  squid-5.7
- SUSE:SLE-15:Update      squid-4.17
- SUSE:SLE-12-SP5:Update  squid-4.17
- SUSE:SLE-12-SP3:Update:Products:Teradata:Update   squid-4.17
- SUSE:SLE-12-SP2:Update  squid-3.5.21
Comment 3 Alexander Bergmann 2023-10-27 14:04:22 UTC 
CVE-2023-46847 was assigned to this issue.
Comment 5 OBSbugzilla Bot 2023-11-02 11:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216495) was mentioned in
https://build.opensuse.org/request/show/1122203 Factory / squid
Comment 7 Maintenance Automation 2023-11-06 16:30:07 UTC 
SUSE-SU-2023:4381-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216495, 1216498, 1216500, 1216803
CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): squid-4.17-4.30.1
SUSE Linux Enterprise Server 12 SP5 (src): squid-4.17-4.30.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): squid-4.17-4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-11-06 16:30:11 UTC 
SUSE-SU-2023:4380-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216495, 1216498, 1216500, 1216803
CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848
Sources used:
openSUSE Leap 15.4 (src): squid-5.7-150400.3.12.1
openSUSE Leap 15.5 (src): squid-5.7-150400.3.12.1
Server Applications Module 15-SP4 (src): squid-5.7-150400.3.12.1
Server Applications Module 15-SP5 (src): squid-5.7-150400.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-11-08 12:30:02 UTC 
SUSE-SU-2023:4384-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216495, 1216498, 1216500, 1216803
CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): squid-4.17-150000.5.38.1
SUSE Enterprise Storage 7.1 (src): squid-4.17-150000.5.38.1
SUSE CaaS Platform 4.0 (src): squid-4.17-150000.5.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.