PT-2020-13869 · Squid+5 · Squid+6

Christof Gerber

Published

2020-06-30

Updated

2022-04-28

CVE-2020-14058

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Squid versions prior to 4.12 Squid versions 5.x prior to 5.0.3

Description An issue was discovered in Squid due to the use of a potentially dangerous function. Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.

Recommendations For Squid versions prior to 4.12, update to version 4.12 or later. For Squid versions 5.x prior to 5.0.3, update to version 5.0.3 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALSA-2020:4743

ALT-PU-2020-3116

ALT-PU-2020-3140

ALT-PU-2020-3142

CESA-2020_4743

CVE-2020-14058

MGASA-2020-0332

OESA-2021-1092

RHSA-2020:4743

RHSA-2020_4743

RLSA-2020:4743

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Squid

Squid Cache

PT-2020-13869 · Squid+5 · Squid+6

CVE-2020-14058

Related Identifiers

Affected Products

References · 62