Debian 11: DLA-4083-1 critical: squid DoS and memory errors
debian lts
March 11, 2025
Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache
Topics Covered
Summary
CVE-2024-25111
A possible Denial of Service attack against HTTP Chunked decoder due
to an uncontrolled recursion bug. This problem allows a remote
attacker to cause Denial of Service when sending a crafted, chunked,
encoded HTTP Message.
CVE-2024-37894
Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error. This error can
lead to a Denial of Service attack.
CVE-2024-45802
Disable ESI feature support.
- Due to Input Validation, Premature Release of Resource During Expected
Lifetime, and Missing Release of Resource after Effective Lifetime bugs,
Squid is vulnerable to Denial of Service attacks by a trusted server
against all clients using the proxy. This problem is fixed by changing
the build configuration to specify the --disable-esi option.
For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u4.
We recommend that you upgrade your squid packages.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: squid
Version: 4.13-10+deb11u4
CVE ID: CVE-2024-25111 CVE-2024-37894 CVE-2024-45802
Debian Bug:
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!