Bug 2254663 (CVE-2023-50269) - CVE-2023-50269 squid: denial of service in HTTP request parsing
Summary: CVE-2023-50269 squid: denial of service in HTTP request parsing
Keywords:
Status: NEW
Alias: CVE-2023-50269
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2254686
Blocks: 2254666
TreeView+ depends on / blocked
 
Reported: 2023-12-15 05:06 UTC by TEJ RATHI
Modified: 2024-04-11 16:43 UTC (History)
0 users

Fixed In Version: squid 6.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Squid, which is susceptible to a Denial of Service (DoS) due to an Uncontrolled Recursion bug, specifically targeting HTTP Request parsing. Exploiting this issue involves a remote client initiating a DoS attack by sending an oversized X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This issue poses a threat to the stability and availability of the Squid service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1396 0 None None None 2024-03-19 16:23:47 UTC
Red Hat Product Errata RHSA-2024:0397 0 None None None 2024-01-24 12:22:38 UTC
Red Hat Product Errata RHSA-2024:0771 0 None None None 2024-02-12 08:39:08 UTC
Red Hat Product Errata RHSA-2024:0772 0 None None None 2024-02-12 08:35:40 UTC
Red Hat Product Errata RHSA-2024:0773 0 None None None 2024-02-12 08:37:27 UTC
Red Hat Product Errata RHSA-2024:1085 0 None None None 2024-03-05 08:17:17 UTC
Red Hat Product Errata RHSA-2024:1153 0 None None None 2024-03-05 18:00:55 UTC
Red Hat Product Errata RHSA-2024:1375 0 None None None 2024-03-19 14:04:25 UTC
Red Hat Product Errata RHSA-2024:1376 0 None None None 2024-03-19 14:02:00 UTC
Red Hat Product Errata RHSA-2024:1787 0 None None None 2024-04-11 16:43:12 UTC

Description TEJ RATHI 2023-12-15 05:06:51 UTC 
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.

http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch
https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3
Comment 2 Sandipan Roy 2023-12-15 06:02:54 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 2254686]
Comment 5 errata-xmlrpc 2024-01-24 12:22:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0397 https://access.redhat.com/errata/RHSA-2024:0397
Comment 6 errata-xmlrpc 2024-02-12 08:35:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0772 https://access.redhat.com/errata/RHSA-2024:0772
Comment 7 errata-xmlrpc 2024-02-12 08:37:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0773 https://access.redhat.com/errata/RHSA-2024:0773
Comment 8 errata-xmlrpc 2024-02-12 08:39:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0771 https://access.redhat.com/errata/RHSA-2024:0771
Comment 9 errata-xmlrpc 2024-03-05 08:17:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1085 https://access.redhat.com/errata/RHSA-2024:1085
Comment 10 errata-xmlrpc 2024-03-05 18:00:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1153 https://access.redhat.com/errata/RHSA-2024:1153
Comment 11 errata-xmlrpc 2024-03-19 14:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1376 https://access.redhat.com/errata/RHSA-2024:1376
Comment 12 errata-xmlrpc 2024-03-19 14:04:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1375 https://access.redhat.com/errata/RHSA-2024:1375
Comment 15 errata-xmlrpc 2024-04-11 16:43:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1787 https://access.redhat.com/errata/RHSA-2024:1787
Note You need to log in before you can comment on or make changes to this bug.