USN-6728-2: Squid regression

The recent security update for Squid, identified as USN-6728-1, intended to fix critical vulnerabilities within this popular caching proxy. Notably, the patch aimed to address certain security issues like CVE-2023-5824 among others, which could potentially allow a remote attacker to exhaust system resources, leading to denial of service.

Unfortunately, the implementation of the fix for CVE-2023-5824 resulted in unforeseen issues, causing Squid to crash under specific situations on Ubuntu 20.04 LTS systems. As a result, this particular update has been temporarily reverted to investigate and correct the underlying issue.

Joshua Rogers, the security researcher behind these findings, identified multiple vulnerabilities across different components of Squid:

  • CVE-2023-49288 uncovered a Use-After-Free bug affecting versions with collapsed forwarding enabled.
  • CVE-2024-23638 presented issues in Cache Manager error responses, exploitable by trusted remote clients.
  • CVE-2024-25111 and CVE-2024-25617 both heightened risks associated with HTTP request processing and header management.

The above vulnerabilities underline the critical importance of maintaining up-to-date systems and applications to shield against potential cyber threats. Companies must stay vigilant, ensuring systems are regularly updated and patched appropriately.

For system administrators and security teams using Squid, particularly those on the affected Ubuntu platforms, it is advisable to rollback to the previous stable version of the software until a confirmed resolution is available. Monitoring official announcements and applying subsequent updates promptly will be crucial to maintaining system integrity and security.

For effective system and server management, consider leveraging platforms like LinuxPatch, which specializes in streamlined patch management solutions tailored for Linux servers. These tools can help automate and manage the deployment of necessary updates, ensuring your systems are defended against known vulnerabilities without the risks of downtime associated with manual patching errors.