diff -Nru squid-6.1/debian/changelog squid-6.1/debian/changelog
--- squid-6.1/debian/changelog	2023-11-13 13:41:30.000000000 +0000
+++ squid-6.1/debian/changelog	2024-01-09 01:50:09.000000000 +0000
@@ -1,3 +1,21 @@
+squid (6.1-2ubuntu1.2) mantic-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in HTTP message processing
+    - debian/patches/CVE-2023-49285.patch: additional parsing checks added to
+      fix buffer overread in src/time/rfc1123.cc.
+    - CVE-2023-49285
+  * SECURITY UPDATE: denial of service in helper process management
+    - debian/patches/CVE-2023-49286.patch: improved error handling included
+      for helper process initialisation in src/ipc.cc.
+    - CVE-2023-49286
+  * SECURITY UPDATE: denial of service in HTTP request parsing
+    - debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log
+      limit as error when exceeded in src/ClientRequestContext.h,
+      src/client_side_request.cc.
+    - CVE-2023-50269
+
+ -- Evan Caville <evan.caville@canonical.com>  Tue, 09 Jan 2024 11:50:09 +1000
+
 squid (6.1-2ubuntu1.1) mantic-security; urgency=medium
 
   * SECURITY UPDATE: DoS against certificate validation
diff -Nru squid-6.1/debian/patches/CVE-2023-49285.patch squid-6.1/debian/patches/CVE-2023-49285.patch
--- squid-6.1/debian/patches/CVE-2023-49285.patch	1970-01-01 00:00:00.000000000 +0000
+++ squid-6.1/debian/patches/CVE-2023-49285.patch	2024-01-08 06:02:00.000000000 +0000
@@ -0,0 +1,27 @@
+commit deee944f9a12c9fd399ce52f3e2526bb573a9470
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Wed Oct 25 19:41:45 2023 +0000
+
+    RFC 1123: Fix date parsing (#1538)
+    
+    The bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
+    where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
+    Handling".
+
+--- a/src/time/rfc1123.cc
++++ b/src/time/rfc1123.cc
+@@ -50,7 +50,13 @@
+     char month[3];
+ 
+     month[0] = xtoupper(*s);
++    if (!month[0])
++        return -1; // protects *(s + 1) below
++
+     month[1] = xtolower(*(s + 1));
++    if (!month[1])
++        return -1; // protects *(s + 2) below
++
+     month[2] = xtolower(*(s + 2));
+ 
+     for (i = 0; i < 12; i++)
diff -Nru squid-6.1/debian/patches/CVE-2023-49286.patch squid-6.1/debian/patches/CVE-2023-49286.patch
--- squid-6.1/debian/patches/CVE-2023-49286.patch	1970-01-01 00:00:00.000000000 +0000
+++ squid-6.1/debian/patches/CVE-2023-49286.patch	2024-01-08 06:02:11.000000000 +0000
@@ -0,0 +1,77 @@
+commit 6014c6648a2a54a4ecb7f952ea1163e0798f9264
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Fri Oct 27 21:27:20 2023 +0000
+
+    Exit without asserting when helper process startup fails (#1543)
+    
+    ... to dup() after fork() and before execvp().
+    
+    Assertions are for handling program logic errors. Helper initialization
+    code already handled system call errors correctly (i.e. by exiting the
+    newly created helper process with an error), except for a couple of
+    assert()s that could be triggered by dup(2) failures.
+    
+    This bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html
+    where it was filed as 'Assertion in Squid "Helper" Process Creator'.
+
+--- a/src/ipc.cc
++++ b/src/ipc.cc
+@@ -22,6 +22,11 @@
+ 
+ #include <chrono>
+ #include <thread>
++#include <cstdlib>
++
++#if HAVE_UNISTD_H
++#include <unistd.h>
++#endif
+ 
+ static const char *hello_string = "hi there\n";
+ #ifndef HELLO_BUF_SZ
+@@ -362,6 +367,22 @@
+     }
+ 
+     PutEnvironment();
++
++    // A dup(2) wrapper that reports and exits the process on errors. The
++    // exiting logic is only suitable for this child process context.
++    const auto dupOrExit = [prog,name](const int oldFd) {
++        const auto newFd = dup(oldFd);
++        if (newFd < 0) {
++            const auto savedErrno = errno;
++            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
++                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
++                   Debug::Extra << "helper program name: " << prog <<
++                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
++            _exit(EXIT_FAILURE);
++        }
++        return newFd;
++    };
++
+     /*
+      * This double-dup stuff avoids problems when one of
+      *  crfd, cwfd, or debug_log are in the rage 0-2.
+@@ -369,17 +390,16 @@
+ 
+     do {
+         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
+-        x = dup(crfd);
+-        assert(x > -1);
+-    } while (x < 3 && x > -1);
++        x = dupOrExit(crfd);
++    } while (x < 3);
+ 
+     close(x);
+ 
+-    t1 = dup(crfd);
++    t1 = dupOrExit(crfd);
+ 
+-    t2 = dup(cwfd);
++    t2 = dupOrExit(cwfd);
+ 
+-    t3 = dup(fileno(debug_log));
++    t3 = dupOrExit(fileno(debug_log));
+ 
+     assert(t1 > 2 && t2 > 2 && t3 > 2);
+ 
diff -Nru squid-6.1/debian/patches/CVE-2023-50269.patch squid-6.1/debian/patches/CVE-2023-50269.patch
--- squid-6.1/debian/patches/CVE-2023-50269.patch	1970-01-01 00:00:00.000000000 +0000
+++ squid-6.1/debian/patches/CVE-2023-50269.patch	2024-01-08 06:15:57.000000000 +0000
@@ -0,0 +1,75 @@
+commit 567e77f6c37047b62dbb4e5afaf9e81f5bd5ae2b
+Author: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
+Date:   Tue Nov 28 07:35:46 2023 +0000
+
+    Limit the number of allowed X-Forwarded-For hops (#1589)
+    
+    Squid will ignore all X-Forwarded-For elements listed after the first 64
+    addresses allowed by the follow_x_forwarded_for directive. A different
+    limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
+    macro, but that macro is not a supported Squid configuration interface
+    and may change or disappear at any time.
+    
+    Squid will log a cache.log ERROR if the hop limit has been reached.
+    
+    This change works around problematic ACLChecklist and/or slow ACLs
+    implementation that results in immediate nonBlockingCheck() callbacks.
+    Such callbacks have caused many bugs and development complications. In
+    clientFollowXForwardedForCheck() context, they lead to indirect
+    recursion that was bound only by the number of allowed XFF entries,
+    which could reach thousands and exhaust Squid process call stack.
+    
+    This recursion bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
+    where it was filed as "X-Forwarded-For Stack Overflow".
+
+--- a/src/ClientRequestContext.h
++++ b/src/ClientRequestContext.h
+@@ -78,8 +78,13 @@
+ #if USE_OPENSSL
+     bool sslBumpCheckDone = false;
+ #endif
+-    ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
++
+     bool readNextRequest = false; ///< whether Squid should read after error handling
++    ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
++
++#if FOLLOW_X_FORWARDED_FOR
++    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
++#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+--- a/src/client_side_request.cc
++++ b/src/client_side_request.cc
+@@ -74,6 +74,11 @@
+ #endif
+ 
+ #if FOLLOW_X_FORWARDED_FOR
++
++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
++#endif
++
+ static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -438,8 +443,16 @@
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
++            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
++                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
++                return;
++            }
++            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
++            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
++                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
++                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
++                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
++            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 
diff -Nru squid-6.1/debian/patches/series squid-6.1/debian/patches/series
--- squid-6.1/debian/patches/series	2023-11-13 13:41:14.000000000 +0000
+++ squid-6.1/debian/patches/series	2024-01-08 06:15:52.000000000 +0000
@@ -12,3 +12,6 @@
 CVE-2023-46846.patch
 CVE-2023-46847.patch
 CVE-2023-46848.patch
+CVE-2023-49285.patch
+CVE-2023-49286.patch
+CVE-2023-50269.patch