Hello,
I'm a security engineer at SUSE. I'm looking at the following security
advisory [0] but I'm not able to identify the correct commit that fix
the issue CVE-2023-49288 in squid 6.0.1.
I also looked at the report published at [1], the security advisory is
linked to a "Use-After-Free in Trace Requests" vulnerability [2] but the
mitigation suggested ("collapsed_forwarding off") for squid before 6.0.1
doesn't prevent the crash of squid with the poc provided (this makes me
wondering if the link between the two source are correct or they refer
to two different bugs) (tried with squid 5.7).
[0]
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5
[1] https://megamansec.github.io/Squid-Security-Audit/
[2] https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html
Thanks a lot,
Have a nice day,
Andrea
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-dev
