Bugzilla – Bug 1216500
VUL-0: CVE-2023-46846: squid: Request/Response smuggling in HTTP/1.1 and ICAP (SQUID-2023:1)
Last modified: 2024-03-22 10:51:26 UTC
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh Package: squid Affected versions: 2.6-6.3 Patched versions: 6.4 Description: Due to chunked decoder lenience Squid is vulnerable to Request/Response smuggling attacks when parsing HTTP/1.1 and ICAP messages. Severity: This problem allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems when the upstream server interprets the chunked encoding syntax differently from Squid. This attack is limited to the HTTP/1.1 and ICAP protocols which support receiving Transfer-Encoding:chunked. CVSS Score of 9.3 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N&version=3.1 Updated Packages: This bug is fixed by Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_1.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: Squid older than 5.1 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: * ICAP issues can be reduced by ensuring only trusted ICAP services are used, with TLS encrypted connections (ICAPS extension). * There is no workaround for the HTTP Request Smuggling issue.
The fix is likely this commit: https://github.com/squid-cache/squid/commit/6cfa10d94ca15a764a1d975597d8024582ef19be All codestreams are affected. No workaround for HTTP, but the request smuggling can be limited for ICAP by allowing ICAPS only.
CVE-2023-46846 was added to this issue.
Upstream patches link are accessible this time: http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch http://www.squid-cache.org/Versions/v6/SQUID-2023_1.patch
This is an autogenerated message for OBS integration: This bug (1216500) was mentioned in https://build.opensuse.org/request/show/1122203 Factory / squid
SUSE-SU-2023:4381-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216495, 1216498, 1216500, 1216803 CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): squid-4.17-4.30.1 SUSE Linux Enterprise Server 12 SP5 (src): squid-4.17-4.30.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): squid-4.17-4.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4380-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216495, 1216498, 1216500, 1216803 CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848 Sources used: openSUSE Leap 15.4 (src): squid-5.7-150400.3.12.1 openSUSE Leap 15.5 (src): squid-5.7-150400.3.12.1 Server Applications Module 15-SP4 (src): squid-5.7-150400.3.12.1 Server Applications Module 15-SP5 (src): squid-5.7-150400.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4384-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216495, 1216498, 1216500, 1216803 CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): squid-4.17-150000.5.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): squid-4.17-150000.5.38.1 SUSE Enterprise Storage 7.1 (src): squid-4.17-150000.5.38.1 SUSE CaaS Platform 4.0 (src): squid-4.17-150000.5.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing