CVE-2023-49288: 
Squid vulnerability analysis and mitigation

Squid, a caching proxy for the Web supporting HTTP, HTTPS, and FTP, was found to contain a Use-After-Free vulnerability (CVE-2023-49288) that affects versions 3.5 through 5.9. The vulnerability was discovered by Joshua Rogers of Opera Software and was disclosed on December 4, 2023. The issue specifically affects systems configured with 'collapsed_forwarding on', while configurations with 'collapsed_forwarding off' or without a 'collapsed_forwarding' directive are not vulnerable (Vendor Advisory).

The vulnerability is classified as a Use-After-Free (CWE-416) bug in the HTTP Collapsed Forwarding feature. It has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) attack against systems running Squid with collapsed forwarding enabled. The impact is primarily on the availability of the service, with no direct effect on confidentiality or integrity (Vendor Advisory, NetApp Advisory).

The vulnerability has been fixed in Squid version 6.0.1. For users unable to upgrade immediately, the recommended workaround is to remove all collapsed_forwarding lines from their squid.conf configuration file. Systems configured with 'collapsed_forwarding off' or without any 'collapsed_forwarding' directive are not vulnerable (Vendor Advisory).

Various Linux distributions and vendors have responded to this vulnerability by releasing security updates. Ubuntu has released multiple security notices (USN-6728-1, USN-6728-2, and USN-6728-3) to address this issue, with some initial patches requiring revision due to implementation issues (Ubuntu Notice). Fedora has also released updates for both Fedora 38 and 39 to address this vulnerability along with other security issues (Fedora Update).