A squid3 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address two vulnerabilities.

ELA-660-1 squid3 security update

Package squid3
Version 3.5.23-5+deb8u5 (jessie), 3.5.23-5+deb9u8 (stretch)
Related CVEs CVE-2021-28116 CVE-2021-46784

Two vulnerabilities were discovered in squid3, a popular HTTP caching proxy:

CVE-2021-28116: Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.

CVE-2021-46784: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u5.

For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u8.

We recommend that you upgrade your squid3 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-660-1 squid3 security update