SB2021062606 - openEuler 20.03 LTS SP1 update for squid

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-33620)

The vulnerability allows a remote server to perform a denial of service (DoS) attack.

The vulnerability can be triggered by a header that can be expected to exist in HTTP traffic without any malicious intent by the server. A remote server can trigger the vulnerability and perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2021-31806)

The vulnerability allows a remote client to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when performing HTTP Range requests. A remote proxy client can send specially crafted HTTP request via the proxy server  and perform a denial of service (DoS) attack.

3) Integer overflow (CVE-ID: CVE-2021-31808)

The vulnerability allows a remote client to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when delivering responses from HTTP Range requests. A remote proxy client can send specially crafted HTTP request via the proxy server, force the server to initiate a necessary response, trigger integer overflow in Squid and perform a denial of service (DoS) attack.

4) Input validation error (CVE-ID: CVE-2021-28662)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing HTTP responses. A remote attacker who controls a malicious web page can send specially crafted HTTP response and perform a denial of service attack against the proxy server. The issue trigger is a header which can be expected to exist in HTTP traffic without any malicious intent by the server.

5) Input validation error (CVE-ID: CVE-2021-28651)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when resolving "urn:" resource identifiers. A remote attacker can trick a user behind the proxy server to click on a specially crafted "urn:" link that leads to a server under attacker's control and force Squid to consume arbitrarily large amounts of memory on the server. 

6) Memory leak (CVE-ID: CVE-2021-28652)

The vulnerability allows a remote client to perform DoS attack on the target system.

The vulnerability exists due memory leak due to incorrect parser validation in Cache Manager API. A remote trusted client with Cache Manager API access privilege can perform denial of service attack.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1240