Bug 1959537 (CVE-2021-33620) - CVE-2021-33620 squid: denial of service in HTTP response processing
Summary: CVE-2021-33620 squid: denial of service in HTTP response processing
Alias: CVE-2021-33620
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1959538 1960215 1960216
Blocks: 1959539
TreeView+ depends on / blocked
Reported: 2021-05-11 18:04 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:23 UTC (History)
6 users (show)

Fixed In Version: squid 4.15, squid 5.0.6
Doc Type: If docs needed, set a value
Doc Text:
An input validation flaw was found in Squid. This issue could allow a remote server to perform a denial of service against all clients using the proxy when delivering HTTP response messages. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed: 2021-11-09 18:54:44 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4292 0 None None None 2021-11-09 18:05:42 UTC

Description Guilherme de Almeida Suckevicz 2021-05-11 18:04:54 UTC
Due to an input validation bug Squid is vulnerable to a Denial of Service against all clients using the proxy. This problem allows a remote server to perform Denial of Service when delivering HTTP Response messages. The issue trigger is a header which can be expected to exist in HTTP traffic without any malicious intent by the server.


Comment 1 Guilherme de Almeida Suckevicz 2021-05-11 18:05:11 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1959538]

Comment 10 errata-xmlrpc 2021-11-09 18:05:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4292 https://access.redhat.com/errata/RHSA-2021:4292

Comment 11 Product Security DevOps Team 2021-11-09 18:54:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.