Bug 2264309 (CVE-2024-25617)

Summary: CVE-2024-25617 squid: denial of service in HTTP header parser
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jonathansteffan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 6.5 Doc Type: ---
Doc Text:
A flaw was found in Squid. This issue may allow a remote client or remote server to trigger a denial of service when sending oversized headers in HTTP messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2264310    
Bug Blocks: 2264308    

Description Robb Gatica 2024-02-14 22:59:39 UTC 
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2.

References:
https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr
https://megamansec.github.io/Squid-Security-Audit/response-memleaks.html

Upstream patch:
https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817
Comment 1 Robb Gatica 2024-02-14 23:02:44 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 2264310]
Comment 3 Jonathan Steffan 2024-02-16 17:43:12 UTC 
The fix https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817 appears in all upstream releases that are currently built in Fedora.
Comment 5 errata-xmlrpc 2024-03-01 08:12:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1062 https://access.redhat.com/errata/RHSA-2024:1062
Comment 6 errata-xmlrpc 2024-03-04 09:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1066 https://access.redhat.com/errata/RHSA-2024:1066
Comment 7 errata-xmlrpc 2024-03-06 01:05:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1184 https://access.redhat.com/errata/RHSA-2024:1184
Comment 8 errata-xmlrpc 2024-03-19 14:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1376 https://access.redhat.com/errata/RHSA-2024:1376
Comment 9 errata-xmlrpc 2024-03-19 14:04:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1375 https://access.redhat.com/errata/RHSA-2024:1375
Comment 12 errata-xmlrpc 2024-04-11 16:43:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1787 https://access.redhat.com/errata/RHSA-2024:1787
Comment 13 errata-xmlrpc 2024-04-16 10:40:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1832 https://access.redhat.com/errata/RHSA-2024:1832
Comment 14 errata-xmlrpc 2024-04-16 13:33:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1833 https://access.redhat.com/errata/RHSA-2024:1833
Comment 15 errata-xmlrpc 2024-05-09 05:53:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2777 https://access.redhat.com/errata/RHSA-2024:2777