Bug 1219960 (CVE-2024-25617) - VUL-0: CVE-2024-25617: squid,squid3: denial of service in HTTP header parser
Summary: VUL-0: CVE-2024-25617: squid,squid3: denial of service in HTTP header parser
Status: RESOLVED FIXED
Alias: CVE-2024-25617
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/394196/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-25617:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-15 11:22 UTC by SMASH SMASH
Modified: 2024-04-05 07:25 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-15 11:22:17 UTC 
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no knodenial of service in HTTP header parserwn workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25617
https://www.cve.org/CVERecord?id=CVE-2024-25617
https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr
https://bugzilla.redhat.com/show_bug.cgi?id=2264309
https://megamansec.github.io/Squid-Security-Audit/response-memleaks.html

Patch:
https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817
Comment 3 OBSbugzilla Bot 2024-03-06 15:35:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1219960) was mentioned in
https://build.opensuse.org/request/show/1155563 Factory / squid
Comment 7 Maintenance Automation 2024-04-04 16:30:12 UTC 
SUSE-SU-2024:1115-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33028](https://smelt.suse.de/incident/33028/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 squid-4.17-4.44.1
SUSE Linux Enterprise Server 12 SP5 (src):
 squid-4.17-4.44.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 squid-4.17-4.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2024-04-04 16:30:14 UTC 
SUSE-SU-2024:1114-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33029](https://smelt.suse.de/incident/33029/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Enterprise Storage 7.1 (src):
 squid-4.17-150000.5.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-04-04 16:30:17 UTC 
SUSE-SU-2024:1113-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33030](https://smelt.suse.de/incident/33030/)
Sources used:
openSUSE Leap 15.4 (src):
 squid-5.7-150400.3.26.1
openSUSE Leap 15.5 (src):
 squid-5.7-150400.3.26.1
Server Applications Module 15-SP5 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Proxy 4.3 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Retail Branch Server 4.3 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Server 4.3 (src):
 squid-5.7-150400.3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Andrea Mattiazzo 2024-04-05 07:25:35 UTC 
Closing