An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1124 Final 1.0 1.0 2024-02-02 Initial 2024-02-02 2024-02-02 openEuler SA Tool V1.0 2024-02-02 squid security update An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests. Security Fix(es): Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.(CVE-2024-23638) An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium squid https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1124 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-23638 https://nvd.nist.gov/vuln/detail/CVE-2024-23638 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 squid-debugsource-4.9-19.oe1.aarch64.rpm squid-debuginfo-4.9-19.oe1.aarch64.rpm squid-4.9-19.oe1.aarch64.rpm squid-4.9-19.oe2003sp4.aarch64.rpm squid-debuginfo-4.9-19.oe2003sp4.aarch64.rpm squid-debugsource-4.9-19.oe2003sp4.aarch64.rpm squid-debuginfo-4.9-23.oe2203.aarch64.rpm squid-4.9-23.oe2203.aarch64.rpm squid-debugsource-4.9-23.oe2203.aarch64.rpm squid-debuginfo-4.9-23.oe2203sp1.aarch64.rpm squid-4.9-23.oe2203sp1.aarch64.rpm squid-debugsource-4.9-23.oe2203sp1.aarch64.rpm squid-debugsource-4.9-23.oe2203sp2.aarch64.rpm squid-debuginfo-4.9-23.oe2203sp2.aarch64.rpm squid-4.9-23.oe2203sp2.aarch64.rpm squid-debugsource-4.9-23.oe2203sp3.aarch64.rpm squid-4.9-23.oe2203sp3.aarch64.rpm squid-debuginfo-4.9-23.oe2203sp3.aarch64.rpm squid-4.9-19.oe1.src.rpm squid-4.9-19.oe2003sp4.src.rpm squid-4.9-23.oe2203.src.rpm squid-4.9-23.oe2203sp1.src.rpm squid-4.9-23.oe2203sp2.src.rpm squid-4.9-23.oe2203sp3.src.rpm squid-debuginfo-4.9-19.oe1.x86_64.rpm squid-4.9-19.oe1.x86_64.rpm squid-debugsource-4.9-19.oe1.x86_64.rpm squid-4.9-19.oe2003sp4.x86_64.rpm squid-debuginfo-4.9-19.oe2003sp4.x86_64.rpm squid-debugsource-4.9-19.oe2003sp4.x86_64.rpm squid-debugsource-4.9-23.oe2203.x86_64.rpm squid-debuginfo-4.9-23.oe2203.x86_64.rpm squid-4.9-23.oe2203.x86_64.rpm squid-debugsource-4.9-23.oe2203sp1.x86_64.rpm squid-4.9-23.oe2203sp1.x86_64.rpm squid-debuginfo-4.9-23.oe2203sp1.x86_64.rpm squid-4.9-23.oe2203sp2.x86_64.rpm squid-debugsource-4.9-23.oe2203sp2.x86_64.rpm squid-debuginfo-4.9-23.oe2203sp2.x86_64.rpm squid-debugsource-4.9-23.oe2203sp3.x86_64.rpm squid-debuginfo-4.9-23.oe2203sp3.x86_64.rpm squid-4.9-23.oe2203sp3.x86_64.rpm Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid s patch archives. As a workaround, prevent access to Cache Manager using Squid s main access control: `http_access deny manager`. 2024-02-02 CVE-2024-23638 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H squid security update 2024-02-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1124