vulnerability
Oracle Linux: CVE-2024-23638: ELSA-2024-4861: squid security update (MODERATE) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:N/I:N/A:C) | Jan 24, 2024 | Aug 16, 2024 | Oct 29, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Published
Jan 24, 2024
Added
Aug 16, 2024
Modified
Oct 29, 2025
Description
Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.
A flaw was found in Squid, resulting in a potential denial of service attack targeting Cache Manager error responses. This issue enables a trusted client to execute a denial of service by manipulating the generation of error pages for Client Manager reports.
A flaw was found in Squid, resulting in a potential denial of service attack targeting Cache Manager error responses. This issue enables a trusted client to execute a denial of service by manipulating the generation of error pages for Client Manager reports.
Solutions
oracle-linux-upgrade-libecaporacle-linux-upgrade-libecap-develoracle-linux-upgrade-squid
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.