Bug 1173303 - (CVE-2020-14058) VUL-0: CVE-2020-14058: squid: denial of service when using SMP cache
VUL-0: CVE-2020-14058: squid: denial of service when using SMP cache
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Normal
: ---
Assigned To: Adam Majer
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2020-06-24 09:05 UTC by Robert Frohl
Modified: 2021-05-11 14:30 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-06-24 09:05:27 UTC

    Squid Proxy Cache Security Update Advisory SQUID-2020:5

 Advisory ID:       | SQUID-2020:5
 Date:              | June 19, 2020
 Summary:           | Denial of Service when using SMP cache
 Affected versions: | 5.0.1 -> 5.0.2
 Fixed in version:  | 5.0.3



Problem Description:

 Due to an Incorrect Synchronization, Squid is vulnerable to a
 Denial of Service attack when processing objects in an SMP cache.



 This problem may allow a remote client to trigger a Squid worker

 This attack is limited to SMP Squids using shared memory cache
 and/or an SMP rock disk cache.

 CVSS Score of 7.3


Updated Packages:

This bug is fixed in Squid version 5.0.3.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 5:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

 All Squid-3.x up to and including 3.5.28 are not vulnerable.

 All Squid-4.x up to and including 4.12 are not vulnerable.

 Squid-5.0.1 and 5.0.2 not using SMP caching are not vulnerable.

 Squid-5.0.1 and 5.0.2 using SMP caching are vulnerable.



Disable all SMP caching. For example:

 * If using multiple Squid workers, set 'cache_mem' to '0' and
   remove all `cache_dir` directives from squid.conf.

 * If using a single Squid worker, remove all 'cache_dir rock'
   directives from squid.conf.


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the <squid-users at lists.squid-cache.org> mailing list is your
 primary support point. For subscription details see

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the
 <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.



 This vulnerability was discovered by Jack Zar of Bloomberg.

 Fixed by Alex Rousskov of The Measurement Factory.


Revision history:

 2020-03-02 16:45:44 UTC Initial Report
 2020-05-13 06:37:31 UTC Patch Released
Comment 1 Adam Majer 2020-06-24 09:12:20 UTC
No affected codestreams. Closing as invalid.