1962254 – (CVE-2021-28662) CVE-2021-28662 squid: denial of service in HTTP response processing

Bug 1962254 (CVE-2021-28662) - CVE-2021-28662 squid: denial of service in HTTP response processing

Summary: CVE-2021-28662 squid: denial of service in HTTP response processing

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-28662
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1963381 1963382 1963383
Blocks:	1959539
TreeView+	depends on / blocked

Reported:	2021-05-19 15:18 UTC by Mauro Matteo Cascella
Modified:	2022-04-17 21:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:	squid 4.15, squid 5.0.6
Doc Type:	If docs needed, set a value
Doc Text:	An input validation flaw was found in Squid. This issue could allow a remote server to perform a denial of service against all clients using the proxy when delivering HTTP response messages. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-11-09 18:54:14 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4292	0	None	None	None	2021-11-09 18:05:56 UTC

Description Mauro Matteo Cascella 2021-05-19 15:18:58 UTC

Due to an input validation bug Squid is vulnerable to a Denial of Service against all clients using the proxy. This problem allows a remote server to perform Denial of Service when delivering HTTP Response messages. The issue trigger is a header which can be expected to exist in HTTP traffic without any malicious intent by the server.

Upstream security advisory:
https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h

Comment 1 Mauro Matteo Cascella 2021-05-22 20:26:21 UTC

Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1963381]

Comment 3 Mauro Matteo Cascella 2021-05-24 07:48:40 UTC

Upstream commits:
https://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674e [master]
https://github.com/squid-cache/squid/commit/d09b34de2575af3bab4b34c775f93acb7270b4c3 [v5]
https://github.com/squid-cache/squid/commit/b1c37c9e7b30d0efb5e5ccf8200f2a646b9c36f8 [v4]

Comment 6 Yadnyawalk Tale 2021-10-19 04:49:27 UTC

The supported versions of Red Hat Satellite does not ship Squid and only consumed through Red Hat Enterprise Linux repository. Product uses older version Squid which is not affected by vulnerability.

Comment 7 errata-xmlrpc 2021-11-09 18:05:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4292 https://access.redhat.com/errata/RHSA-2021:4292

Comment 8 Product Security DevOps Team 2021-11-09 18:54:12 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28662

Note You need to log in before you can comment on or make changes to this bug.