CVE-2024-25617

2024-02-1400:00:00

ubuntu.com

squid

dos attack

http headers

vulnerability

version 6.5

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.3%

JSON

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS,
FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may
be vulnerable to a Denial of Service attack against HTTP header parsing.
This problem allows a remote client or a remote server to perform Denial of
Service when sending oversized headers in HTTP messages. In versions of
Squid prior to 6.5 this can be achieved if the request_header_max_size or
reply_header_max_size settings are unchanged from the default. In Squid
version 6.5 and later, the default setting of these parameters is safe.
Squid will emit a critical warning in cache.log if the administrator is
setting these parameters to unsafe values. Squid will not at this time
prevent these settings from being changed to unsafe values. Users are
advised to upgrade to version 6.5. There are no known workarounds for this
vulnerability. This issue is also tracked as SQUID-2024:2

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchsquid< 4.10-1ubuntu1.10UNKNOWN
ubuntu22.04noarchsquid< 5.7-0ubuntu0.22.04.4UNKNOWN
ubuntu23.10noarchsquid< 6.1-2ubuntu1.3UNKNOWN
ubuntu24.04noarchsquid< 6.5-1ubuntu1UNKNOWN
ubuntu18.04noarchsquid3< anyUNKNOWN
ubuntu16.04noarchsquid3< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	squid	< 4.10-1ubuntu1.10	UNKNOWN
ubuntu	22.04	noarch	squid	< 5.7-0ubuntu0.22.04.4	UNKNOWN
ubuntu	23.10	noarch	squid	< 6.1-2ubuntu1.3	UNKNOWN
ubuntu	24.04	noarch	squid	< 6.5-1ubuntu1	UNKNOWN
ubuntu	18.04	noarch	squid3	< any	UNKNOWN
ubuntu	16.04	noarch	squid3	< any	UNKNOWN