CVE-2021-28651 log

Source
Severity High
Remote Yes
Type Denial of service
Description
Due to a buffer management bug Squid before version 4.15 is vulnerable to a denial of service attack against the server it is operating on. This attack is limited to proxies which attempt to resolve a "urn:" resource identifier. Support for this resolving is enabled by default in all Squid.
Group Package Affected Fixed Severity Status Ticket
AVG-1949 squid 4.14-1 4.15-1 High Fixed
Date Advisory Group Package Severity Type
19 May 2021 ASA-202105-10 AVG-1949 squid High denial of service
References
https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4
http://www.squid-cache.org/Versions/v4/changesets/squid-4-a975fd5aedc866629214aaaccb38376855351899.patch
Notes
Workaround
==========

The issue can be mitigated by disabling URN processing by the proxy, by adding these lines to squid.conf:

acl URN proto URN
http_access deny URN