CVE-2022-41317

NameCVE-2022-41317
DescriptionAn issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3151-1, DSA-5258-1
Debian Bugs1020587

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)bullseye (security), bullseye4.13-10+deb11u3fixed
bookworm, bookworm (security)5.7-2+deb12u2fixed
sid, trixie6.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsourcebuster4.6-1+deb10u8DLA-3151-1
squidsourcebullseye4.13-10+deb11u2DSA-5258-1
squidsource(unstable)5.7-11020587
squid3source(unstable)(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2022/09/23/1
Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch
Squid 5: http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch (5.7)

Search for package or bug name: Reporting problems