Bug 2264309 (CVE-2024-25617) - CVE-2024-25617 squid: denial of service in HTTP header parser
Summary: CVE-2024-25617 squid: denial of service in HTTP header parser
Keywords:
Status: NEW
Alias: CVE-2024-25617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2264310
Blocks: 2264308
TreeView+ depends on / blocked
 
Reported: 2024-02-14 22:59 UTC by Robb Gatica
Modified: 2024-05-09 05:53 UTC (History)
1 user (show)

Fixed In Version: squid 6.5
Doc Type: ---
Doc Text:
A flaw was found in Squid. This issue may allow a remote client or remote server to trigger a denial of service when sending oversized headers in HTTP messages.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1396 0 None None None 2024-03-19 16:23:48 UTC
Red Hat Product Errata RHSA-2024:1062 0 None None None 2024-03-01 08:12:32 UTC
Red Hat Product Errata RHSA-2024:1066 0 None None None 2024-03-04 09:10:02 UTC
Red Hat Product Errata RHSA-2024:1184 0 None None None 2024-03-06 01:05:57 UTC
Red Hat Product Errata RHSA-2024:1375 0 None None None 2024-03-19 14:04:26 UTC
Red Hat Product Errata RHSA-2024:1376 0 None None None 2024-03-19 14:02:00 UTC
Red Hat Product Errata RHSA-2024:1787 0 None None None 2024-04-11 16:43:12 UTC
Red Hat Product Errata RHSA-2024:1832 0 None None None 2024-04-16 10:40:12 UTC
Red Hat Product Errata RHSA-2024:1833 0 None None None 2024-04-16 13:33:37 UTC
Red Hat Product Errata RHSA-2024:2777 0 None None None 2024-05-09 05:53:59 UTC

Description Robb Gatica 2024-02-14 22:59:39 UTC
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2.

References:
https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr
https://megamansec.github.io/Squid-Security-Audit/response-memleaks.html

Upstream patch:
https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817

Comment 1 Robb Gatica 2024-02-14 23:02:44 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 2264310]

Comment 3 Jonathan Steffan 2024-02-16 17:43:12 UTC
The fix https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817 appears in all upstream releases that are currently built in Fedora.

Comment 5 errata-xmlrpc 2024-03-01 08:12:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1062 https://access.redhat.com/errata/RHSA-2024:1062

Comment 6 errata-xmlrpc 2024-03-04 09:10:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1066 https://access.redhat.com/errata/RHSA-2024:1066

Comment 7 errata-xmlrpc 2024-03-06 01:05:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1184 https://access.redhat.com/errata/RHSA-2024:1184

Comment 8 errata-xmlrpc 2024-03-19 14:01:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1376 https://access.redhat.com/errata/RHSA-2024:1376

Comment 9 errata-xmlrpc 2024-03-19 14:04:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1375 https://access.redhat.com/errata/RHSA-2024:1375

Comment 12 errata-xmlrpc 2024-04-11 16:43:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1787 https://access.redhat.com/errata/RHSA-2024:1787

Comment 13 errata-xmlrpc 2024-04-16 10:40:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1832 https://access.redhat.com/errata/RHSA-2024:1832

Comment 14 errata-xmlrpc 2024-04-16 13:33:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1833 https://access.redhat.com/errata/RHSA-2024:1833

Comment 15 errata-xmlrpc 2024-05-09 05:53:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2777 https://access.redhat.com/errata/RHSA-2024:2777


Note You need to log in before you can comment on or make changes to this bug.