Bug 1962246 (CVE-2021-28652)

Summary: CVE-2021-28652 squid: denial of service issue in Cache Manager
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, code, icesalov, jonathansteffan, luhliari
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 4.15, squid 5.0.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Squid. A parser validation bug could allow a trusted client with Cache Manager API access privileges to trigger memory leaks, potentially resulting in a denial of service against Squid. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:53:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1963363, 1963364, 1963365    
Bug Blocks: 1959539    

Description Mauro Matteo Cascella 2021-05-19 15:10:31 UTC 
Due to an incorrect parser validation bug Squid is vulnerable to a Denial of Service attack against the Cache Manager API. This problem allows a trusted client to trigger memory leaks which over time lead to a Denial of Service against Squid and the machine it is operating on. This attack is limited to clients with Cache Manager API access privilege.

Upstream security advisory:
https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447
Comment 1 Mauro Matteo Cascella 2021-05-22 17:34:35 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1963363]
Comment 3 Mauro Matteo Cascella 2021-05-24 07:42:25 UTC 
Upstream pull request:
https://github.com/squid-cache/squid/pull/788

Upstream commits:
https://github.com/squid-cache/squid/commit/26e65059bc06ebce508737b5cd0866478691566a [master]
https://github.com/squid-cache/squid/commit/2db70e04723cedd19a90dba8b863ccbc2e708f8e [v5]
https://github.com/squid-cache/squid/commit/0003e3518dc95e4b5ab46b5140af79b22253048e [v4]
Comment 6 errata-xmlrpc 2021-11-09 18:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4292 https://access.redhat.com/errata/RHSA-2021:4292
Comment 7 Product Security DevOps Team 2021-11-09 18:53:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28652