-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: squid:4 security, bug fix, and enhancement update Advisory ID: RHSA-2021:4292-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4292 Issue date: 2021-11-09 CVE Names: CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 CVE-2021-31807 CVE-2021-31808 CVE-2021-33620 ==================================================================== 1. Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a later upstream version: squid (4.15). (BZ#1964384) Security Fix(es): * squid: denial of service in URN processing (CVE-2021-28651) * squid: denial of service issue in Cache Manager (CVE-2021-28652) * squid: denial of service in HTTP response processing (CVE-2021-28662) * squid: improper input validation in HTTP Range header (CVE-2021-31806) * squid: incorrect memory management in HTTP Range header (CVE-2021-31807) * squid: integer overflow in HTTP Range header (CVE-2021-31808) * squid: denial of service in HTTP response processing (CVE-2021-33620) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the squid service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1959537 - CVE-2021-33620 squid: denial of service in HTTP response processing 1962243 - CVE-2021-28651 squid: denial of service in URN processing 1962246 - CVE-2021-28652 squid: denial of service issue in Cache Manager 1962254 - CVE-2021-28662 squid: denial of service in HTTP response processing 1962595 - CVE-2021-31806 squid: improper input validation in HTTP Range header 1962597 - CVE-2021-31807 squid: incorrect memory management in HTTP Range header 1962599 - CVE-2021-31808 squid: integer overflow in HTTP Range header 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm squid-4.15-1.module+el8.5.0+11469+24c223d9.src.rpm aarch64: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm squid-4.15-1.module+el8.5.0+11469+24c223d9.aarch64.rpm squid-debuginfo-4.15-1.module+el8.5.0+11469+24c223d9.aarch64.rpm squid-debugsource-4.15-1.module+el8.5.0+11469+24c223d9.aarch64.rpm ppc64le: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm squid-4.15-1.module+el8.5.0+11469+24c223d9.ppc64le.rpm squid-debuginfo-4.15-1.module+el8.5.0+11469+24c223d9.ppc64le.rpm squid-debugsource-4.15-1.module+el8.5.0+11469+24c223d9.ppc64le.rpm s390x: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm squid-4.15-1.module+el8.5.0+11469+24c223d9.s390x.rpm squid-debuginfo-4.15-1.module+el8.5.0+11469+24c223d9.s390x.rpm squid-debugsource-4.15-1.module+el8.5.0+11469+24c223d9.s390x.rpm x86_64: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm squid-4.15-1.module+el8.5.0+11469+24c223d9.x86_64.rpm squid-debuginfo-4.15-1.module+el8.5.0+11469+24c223d9.x86_64.rpm squid-debugsource-4.15-1.module+el8.5.0+11469+24c223d9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-28651 https://access.redhat.com/security/cve/CVE-2021-28652 https://access.redhat.com/security/cve/CVE-2021-28662 https://access.redhat.com/security/cve/CVE-2021-31806 https://access.redhat.com/security/cve/CVE-2021-31807 https://access.redhat.com/security/cve/CVE-2021-31808 https://access.redhat.com/security/cve/CVE-2021-33620 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrep9zjgjWX9erEAQic8A/8D3MAzVqniPf1rj+Kg9yIV4ey9LN1dYMh 0U6UJ+Ek7Vldf8DCPMfpZQ+fdqNfP+WTeKijjp6Fmd3FaiGdQuKX9JviI7Z+3pwr 1h9speIsh+hcU0kiUB/ntQ6Aed8r7eJMEZZGS9rVs57RNC4htVksFXfPOXNPHBOn L7EQaPfnJz/msrn7nBTJ8Y2upnXEQ2UK3CIFkb4dTQeypxDiiayFyiJkgCuR0x23 7IOBGbDJXvP/6qpTDjVUVyVG9+k2fOOCtTY9KXO0WHlD6bchehNl4MVZFx3oxdUT dDCQ+15Txm24PlzD6+4SdzVSs9JzKYPbGAq2FFhOsKVz84b6pkbcZ1sYxmg8/9Ay LQDIpjz6M3I6GjXSWTVcn4C+ZZW6xkh0SP8NQShL+/5lS83dr6qK8SzHN0+8huEa nh5RNq0JIP7W1rxUsYfodgSq/vGRQy8RdRCei3/m6bQlhxnEujDZReLKnwcPfOMm I5lIbOhJvXOK1wk9sRpbxjqmGboG4GFuyQxe3CR9TzPKhn5UMD6GICrhu+uouM8L NT6UFe/WIAAjPauSOJE3u/ytWIRZFl13OiRilkynnyQvR6DKDhJGWPvyaK3jWjAv +wCbSexnBsqaz9uMClsLJdgT38v9cfsReMOlJKf2J3fn/O+GUux8yLgUkjxAo7Uy Msx1GzZpzmQ=X47q -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce