• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid vulnerability: SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 2 Posters 611 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SashLi
    last edited by Oct 24, 2023, 1:10 PM

    There is a critical vulnerability in the actual package version. Any plans for the fix / patch files ?

    Due to chunked decoder lenience Squid is vulnerable to
    Request/Response smuggling attacks when parsing HTTP/1.1
    and ICAP messages.

    Workaround:

    ICAP issues can be reduced by ensuring only trusted ICAP
services are used, with TLS encrypted connections
(ICAPS extension).

There is no workaround for the HTTP Request Smuggling issue.

    CVSS Score of 9.3

    Github:
    SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP

    1 Reply Last reply Reply Quote 1
    • M
      mr_snow
      last edited by mr_snow Oct 26, 2023, 1:39 PM Oct 26, 2023, 1:39 PM

      There are also two other critical vulnerabilities:

      • SQUID-2023:3 Denial of Service in HTTP Digest Authentication
      • SQUID-2023:2 Multiple issues in HTTP response caching
      M 1 Reply Last reply Oct 27, 2023, 12:41 PM Reply Quote 0
      • M
        mr_snow @mr_snow
        last edited by mr_snow Oct 27, 2023, 12:41 PM Oct 27, 2023, 12:41 PM

        I just filed a ticket for this hoping that it gets more attention: https://redmine.pfsense.org/issues/14926

        M 1 Reply Last reply Dec 4, 2023, 12:32 PM Reply Quote 0
        • M
          mr_snow @mr_snow
          last edited by mr_snow Dec 4, 2023, 12:33 PM Dec 4, 2023, 12:32 PM

          My ticket was finally rejected because Squid will be removed in the next major version: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received