CVE-2024-45802: 
Squid vulnerability analysis and mitigation

Squid, an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more, was found to contain multiple vulnerabilities related to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs. The vulnerability was discovered by Joshua Rogers of Opera Software and was assigned CVE-2024-45802. The issue affects Squid versions from 3.0 to 6.9 and was fixed in version 6.10 through changes in the default build configuration (GitHub Advisory).

The vulnerability received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability specifically affects Squid when acting as a reverse proxy where the ESI (Edge Side Includes) feature has been enabled at build time. The ESI feature was enabled by default in all Squid versions from 3.0 to 6.9 (GitHub Advisory).

When successfully exploited, this vulnerability allows a trusted server to perform a Denial of Service attack when processing ESI response content. The impact affects all domains being serviced by the proxy and all clients using it during the affected period (GitHub Advisory).

The primary mitigation is to upgrade to Squid version 6.10 or later, where ESI is disabled by default. For affected versions, users can build Squid with the '--disable-esi' configuration option. To determine if a version is vulnerable, users can run 'squid -v' to check the version number and build configuration parameters. Versions 3.x, 4.x, 5.x, and 6.0.1 to 6.9 are vulnerable unless the output contains '--disable-esi', while versions 6.10 and later are only vulnerable if the output contains '--enable-esi' (GitHub Advisory).

Various Linux distributions and vendors have responded to this vulnerability. Debian has addressed the issue in version 6.12-1 by disabling ESI support in their builds. Red Hat has also disabled ESI in their stable releases. Ubuntu has noted that disabling ESI would be a breaking change and could possibly be considered a regression in functionality (Ubuntu Security).