CVE-2021-28651 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Denial of service
Description	Due to a buffer management bug Squid before version 4.15 is vulnerable to a denial of service attack against the server it is operating on. This attack is limited to proxies which attempt to resolve a "urn:" resource identifier. Support for this resolving is enabled by default in all Squid.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1949	squid	4.14-1	4.15-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
19 May 2021	ASA-202105-10	AVG-1949	squid	High	denial of service

References
https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 http://www.squid-cache.org/Versions/v4/changesets/squid-4-a975fd5aedc866629214aaaccb38376855351899.patch

Notes
Workaround ========== The issue can be mitigated by disabling URN processing by the proxy, by adding these lines to squid.conf: acl URN proto URN http_access deny URN