Apply security fixes from Squid 6 to frontier-squid-5.9-2 (!3) · Merge requests · frontier / Frontier tarballs / frontier-squid5

Carl Vuosalo requested to merge fix-vulnerabilities into master Jan 11, 2024

Squid 6.6 contains fixes for several security vulnerabilities. Unfortunately, it also has a bug related to collapsed forwarding, so it is not usable for frontier-squid. To quickly address the vulnerabilities, the security fixes from Squid 6 are backported to frontier-squid-5.9-2. The fixes are for:

https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html
https://megamansec.github.io/Squid-Security-Audit/ftp-assert.html
https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html

Two vulnerabilities are addressed by disabling Gopher and TRACE requests in the squid.conf.proto file:

https://megamansec.github.io/Squid-Security-Audit/gopher-nullpointer.html
https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html

Edited Jan 11, 2024 by Carl Vuosalo

Apply security fixes from Squid 6 to frontier-squid-5.9-2

Merge request reports