{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2022-41317: fix exposure of sensitive cache manager information via\n non-HTTP URI schemes due to typo in default manager ACL regex\n- CVE-2023-49288: fix use-after-free in StoreEntry::startWriting() reachable\n via oversized replies with collapsed_forwarding enabled", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777054556", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777054556" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2026/clsa-2026_1777054556.json" } ], "tracking": { "current_release_date": "2026-04-24T18:16:29Z", "generator": { "date": "2026-04-24T18:16:29Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1777054556", "initial_release_date": "2026-04-24T18:16:29Z", "revision_history": [ { "date": "2026-04-24T18:16:29Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "squid: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "product": { "name": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "product_id": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/squid@5.5-19.el9_6.1.tuxcare.els5?arch=x86_64&epoch=7" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" }, "product_reference": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" }, "product_reference": "squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-41317", "cwe": { "id": "CWE-697", "name": "Incorrect Comparison" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-41317" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch", "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/09/23/1", "url": "https://www.openwall.com/lists/oss-security/2022/09/23/1" } ], "release_date": "2022-12-25T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-24T18:15:59.365068Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777054556", "product_ids": [ "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777054556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-49288", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured with \"collapsed_forwarding on\" are vulnerable. Configurations with \"collapsed_forwarding off\" or without a \"collapsed_forwarding\" directive are not vulnerable. This bug is fixed by Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should remove all collapsed_forwarding lines from their squid.conf.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-49288" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240119-0006/", "url": "https://security.netapp.com/advisory/ntap-20240119-0006/" } ], "release_date": "2023-12-04T23:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-24T18:15:59.365068Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777054556", "product_ids": [ "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777054556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64", "Rocky Linux-9.6:squid-7:5.5-19.el9_6.1.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }