Bug 2322154 (CVE-2024-45802)

Summary: CVE-2024-45802 squid: Denial of Service processing ESI response content
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Squid. Due to input validation and resource management issues, a denial of service may be triggered during the processing of certain Edge Side Includes (ESI) response content.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2322214    
Bug Blocks:    

Description OSIDB Bzimport 2024-10-28 15:01:25 UTC 
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.
Comment 1 errata-xmlrpc 2024-11-14 06:10:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:9624 https://access.redhat.com/errata/RHSA-2024:9624
Comment 2 errata-xmlrpc 2024-11-14 06:15:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9625 https://access.redhat.com/errata/RHSA-2024:9625
Comment 3 errata-xmlrpc 2024-11-14 11:45:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:9644 https://access.redhat.com/errata/RHSA-2024:9644
Comment 4 errata-xmlrpc 2024-11-14 14:47:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:9677 https://access.redhat.com/errata/RHSA-2024:9677
Comment 5 errata-xmlrpc 2024-11-14 15:32:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:9678 https://access.redhat.com/errata/RHSA-2024:9678
Comment 6 errata-xmlrpc 2024-11-14 20:31:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:9729 https://access.redhat.com/errata/RHSA-2024:9729
Comment 7 errata-xmlrpc 2024-11-14 21:39:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:9738 https://access.redhat.com/errata/RHSA-2024:9738
Comment 8 errata-xmlrpc 2024-11-18 01:25:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:9814 https://access.redhat.com/errata/RHSA-2024:9814
Comment 9 errata-xmlrpc 2024-11-18 01:30:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:9815 https://access.redhat.com/errata/RHSA-2024:9815
Comment 10 errata-xmlrpc 2024-11-18 01:34:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:9813 https://access.redhat.com/errata/RHSA-2024:9813