Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid vulnerability: SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    4
    515
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SashLi
      last edited by

      There is a critical vulnerability in the actual package version. Any plans for the fix / patch files ?

      Due to chunked decoder lenience Squid is vulnerable to
      Request/Response smuggling attacks when parsing HTTP/1.1
      and ICAP messages.

      Workaround:

      ICAP issues can be reduced by ensuring only trusted ICAP
services are used, with TLS encrypted connections
(ICAPS extension).

There is no workaround for the HTTP Request Smuggling issue.

      CVSS Score of 9.3

      Github:
      SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP

      1 Reply Last reply Reply Quote 1
      • M
        mr_snow
        last edited by mr_snow

        There are also two other critical vulnerabilities:

        • SQUID-2023:3 Denial of Service in HTTP Digest Authentication
        • SQUID-2023:2 Multiple issues in HTTP response caching
        M 1 Reply Last reply Reply Quote 0
        • M
          mr_snow @mr_snow
          last edited by mr_snow

          I just filed a ticket for this hoping that it gets more attention: https://redmine.pfsense.org/issues/14926

          M 1 Reply Last reply Reply Quote 0
          • M
            mr_snow @mr_snow
            last edited by mr_snow

            My ticket was finally rejected because Squid will be removed in the next major version: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

            1 Reply Last reply Reply Quote 0
            • First post
              Last post