Hello, fellow Squid users,

This week, we learned of multiple critical vulnerabilities in the popular Squid caching proxy that are among the most threatening we’ve seen in a while.

The National Vulnerability Database agrees, giving these bugs a base score of 9.8 out of 10 due to their potential to lead to security breaches or other forms of system instability or unavailability. These severe bugs could result in the compromise and theft of your sensitive data and loss of access to your critical systems. Yeah, it’s terrible news for those who fail to patch their systems immediately! 

Read on for more information on these vulnerabilities, what these issues mean for you, and pointers to the distributions that have already released updates mitigating these flaws.

This week's newsletter covers essential updates for Xorg and Chromium as well.

We aim to help you understand complex open-source security topics with more practical guidance and language. If you found this useful, please tell us what you think and share it with your friends. We'd love to hear from you!

Stay safe out there,

Brittany Signature 150 Esm W150

Squid

The Discovery 

Several critical vulnerabilities were found in the popular Squid caching proxy, including request/response smuggling in HTTP/1.1 and ICAP (CVE-2023-46846), denial of service in HTTP Digest Authentication (CVE-2023-46847), and denial of service in FTP (CVE-2023-46848). CVE-2023-46846 and CVE-2023-46847 have received a National Vulnerability Database base score of 9.8 out of 10 due to their potential to lead to security breaches or other forms of system instability or unavailability.

Squid Esm W261

The Impact

These severe bugs could result in the compromise and theft of your sensitive data and loss of access to your critical systems.

The Fix

Squid has released a critical security update mitigating these dangerous and impactful flaws. Given these vulnerabilities’ severe threat to affected systems, if left unpatched, we urge all impacted users to update now. Doing so will protect against downtime, system compromise, and data theft.

Your Related Advisories:

[distro_list_1]

Xorg

The Discovery 

Xorg Esm W251

Have you updated to mitigate the severe out-of-bounds write flaw in the widely used Xorg X server (CVE-2023-5367)? Due to how simple this vulnerability is to exploit and its potential to result in loss of system access and further malicious attacks on impacted systems, this bug has received a National Vulnerability Database base score of 7.8 out of 10 (“High” severity).

The Impact

This severe vulnerability could lead to privilege escalation and denial of service attacks, resulting in loss of system access and allowing an attacker to identify additional infrastructure to attack, add or delete users, or modify permissions of files or other users. 

The Fix

An important Xorg security update has been released to mitigate this dangerous vulnerability. Given this bug’s severe threat to impacted systems, if left unpatched, we strongly recommend that all affected users apply these updates immediately to protect against downtime, system compromise, and future malicious attacks against their Linux environment.

Your Related Advisories:

[distro_list_2]

Chromium

The Discovery 

Distros continue to release updates addressing a severe use-after-free vulnerability recently found in Chromium (CVE-2023-5472). A remote attacker could exploit heap corruption via a crafted HTML page. This flaw, which has received a National Vulnerability Database base score of 8.8 out of 10 (“High” severity), is related to a bug in the webRTC (Real-time Communication) functionality and is among the most severe threats to your personal information we’ve seen in a long time!

Chromium Esm W225

The Impact

This bug enables threat actors to access portions of your computer's memory without authorization, potentially resulting in cybercriminals sharing your personal information without your knowledge.

The Fix

Chromium has released a critical update that fixes this impactful issue. Given this vulnerability's severe threat to affected systems, if left unpatched, we urge all impacted users who have not yet updated to the latest version of Chromium to update immediately! Doing so will protect against loss of system access, system compromise, and information leaks.

Your Related Advisories:

[distro_list_3]