{"schema_version":"1.7.2","id":"OESA-2021-1240","modified":"2021-06-26T11:02:59Z","published":"2021-06-26T11:02:59Z","upstream":["CVE-2021-33620","CVE-2021-31806","CVE-2021-31808","CVE-2021-28662","CVE-2021-28651","CVE-2021-28652"],"summary":"squid security update","details":"Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.(CVE-2021-33620)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.(CVE-2021-31806)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.(CVE-2021-31808)\r\n\r\nAn issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.(CVE-2021-28662)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.(CVE-2021-28651)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.(CVE-2021-28652)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"squid","purl":"pkg:rpm/openEuler/squid\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.9-8.oe1"}]}],"ecosystem_specific":{"aarch64":["squid-debuginfo-4.9-8.oe1.aarch64.rpm","squid-debugsource-4.9-8.oe1.aarch64.rpm","squid-4.9-8.oe1.aarch64.rpm"],"src":["squid-4.9-8.oe1.src.rpm"],"x86_64":["squid-4.9-8.oe1.x86_64.rpm","squid-debuginfo-4.9-8.oe1.x86_64.rpm","squid-debugsource-4.9-8.oe1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1240"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33620"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31806"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31808"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28662"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28651"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28652"}],"database_specific":{"severity":"High"}}