Alpine: multiple squid packages: security update to 3.5.27-r1 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400708

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid
Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability.
The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger
the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-
service condition to users of the system. Was ZDI-CAN-6088. (CVE-2018-1172)

- The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a
Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service
for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP
response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed
in 4.0.23 and later. (CVE-2018-1000024)

- The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL
Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in
Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server
responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to
have been fixed in 4.0.23 and later. (CVE-2018-1000027)

See Also

https://git.alpinelinux.org/aports/commit/?id=3f38e90e7985c0d00b2421e41a50d9e0483b997a

https://git.alpinelinux.org/aports/commit/?id=c545db531f47bc10e43a2042c755e4700c39b964

Plugin Details

Severity: High

ID: 400708

Version: Revision 1.24

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2018-1000027

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/22/2018

Vulnerability Publication Date: 1/23/2018

Reference Information

CVE: CVE-2018-1000024, CVE-2018-1000027, CVE-2018-1172