1852554 – (CVE-2020-14058) CVE-2020-14058 squid: DoS in TLS handshake

Bug 1852554 (CVE-2020-14058) - CVE-2020-14058 squid: DoS in TLS handshake

Summary: CVE-2020-14058 squid: DoS in TLS handshake

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-14058
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1852555 1853135 1853136
Blocks:	1852556
TreeView+	depends on / blocked

Reported:	2020-06-30 17:04 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-03-30 13:54 UTC (History)
CC List:	5 users (show)
Fixed In Version:	squid 4.12, squid 5.0.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in squid. A denial-of-service attack while processing TLS certificates is possible due to use of a potentially dangerous function in Squid and the default certificate validation helper. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:26:15 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4743	0	None	None	None	2020-11-04 03:32:09 UTC

Description Guilherme de Almeida Suckevicz 2020-06-30 17:04:45 UTC

Due to use of a potentially dangerous function Squid and the default certificate validation helper are vulnerable to a Denial of Service attack when processing TLS certificates.

Reference:
https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57

Comment 1 Guilherme de Almeida Suckevicz 2020-06-30 17:05:00 UTC

Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1852555]

Comment 2 Huzaifa S. Sidhpurwala 2020-07-02 04:26:15 UTC

Upstream patches:

Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch

Squid 5:
http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch

Comment 3 Huzaifa S. Sidhpurwala 2020-07-02 04:26:18 UTC

External References:

https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57

Comment 8 Product Security DevOps Team 2020-11-04 02:26:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14058

Comment 9 errata-xmlrpc 2020-11-04 03:32:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743

Note You need to log in before you can comment on or make changes to this bug.