Описание
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
An integer overflow flaw was found in Squid, where it is vulnerable to a denial of service attack against all clients using the proxy. The highest threat from this vulnerability is to system availability.
Отчет
This issue has been rated as having a security impact of Moderate. At this stage in their life, Red Hat Enterprise Linux 6 and 7 only accept Important and Critical Security Advisories (RHSAs) and this flaw does not meet these criteria. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata. Red Hat Satellite does not ship the Squid package, however, does consume it from RHEL 7 repository. Product is not affected by this flaw as squid.conf configuration disables all the http_access fragments except the localhost.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | squid | Out of support scope | ||
| Red Hat Enterprise Linux 6 | squid34 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | squid | Out of support scope | ||
| Red Hat Enterprise Linux 9 | squid | Not affected | ||
| Red Hat Enterprise Linux 8 | squid | Fixed | RHSA-2021:4292 | 09.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due ...
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки введенных пользователем данных при доставке ответов на запросы диапазона HTTP, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
6.5 Medium
CVSS3