Due to incorrect pointer handling, Squid versions 3.x (prior to 3.5.27) and 4.x (prior to 4.0.23) are vulnerable to a denial of service attack when processing HTTP messages or downloading intermediate CA certificates. This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service.
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1536940]
A workaround for this issue is to set the "log_uses_indirect_client off" configuration directive in the squid configuration file (for example /etc/squid/squid.conf).
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:1068 https://access.redhat.com/errata/RHSA-2020:1068
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):