Bug 1962254 (CVE-2021-28662) - CVE-2021-28662 squid: denial of service in HTTP response processing
Summary: CVE-2021-28662 squid: denial of service in HTTP response processing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-28662
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1963381 1963382 1963383
Blocks: 1959539
TreeView+ depends on / blocked
 
Reported: 2021-05-19 15:18 UTC by Mauro Matteo Cascella
Modified: 2022-04-17 21:23 UTC (History)
5 users (show)

Fixed In Version: squid 4.15, squid 5.0.6
Doc Type: If docs needed, set a value
Doc Text:
An input validation flaw was found in Squid. This issue could allow a remote server to perform a denial of service against all clients using the proxy when delivering HTTP response messages. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-11-09 18:54:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4292 0 None None None 2021-11-09 18:05:56 UTC

Description Mauro Matteo Cascella 2021-05-19 15:18:58 UTC
Due to an input validation bug Squid is vulnerable to a Denial of Service against all clients using the proxy. This problem allows a remote server to perform Denial of Service when delivering HTTP Response messages. The issue trigger is a header which can be expected to exist in HTTP traffic without any malicious intent by the server.

Upstream security advisory:
https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h

Comment 1 Mauro Matteo Cascella 2021-05-22 20:26:21 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1963381]

Comment 6 Yadnyawalk Tale 2021-10-19 04:49:27 UTC
The supported versions of Red Hat Satellite does not ship Squid and only consumed through Red Hat Enterprise Linux repository. Product uses older version Squid which is not affected by vulnerability.

Comment 7 errata-xmlrpc 2021-11-09 18:05:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4292 https://access.redhat.com/errata/RHSA-2021:4292

Comment 8 Product Security DevOps Team 2021-11-09 18:54:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28662


Note You need to log in before you can comment on or make changes to this bug.