SB2025082502 - Red Hat Enterprise Linux 7 Extended Lifecycle Support update for squid

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025082502

SB2025082502 - Red Hat Enterprise Linux 7 Extended Lifecycle Support update for squid

Published: August 25, 2025

Security Bulletin ID SB2025082502
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2021-28651)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when resolving "urn:" resource identifiers. A remote attacker can trick a user behind the proxy server to click on a specially crafted "urn:" link that leads to a server under attacker's control and force Squid to consume arbitrarily large amounts of memory on the server. 


2) Buffer Over-read (CVE-ID: CVE-2025-54574)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to a boundary error when processing URN Trivial-HTTP responses. A remote user can send a specially crafted HTTP response from the web server to the affected proxy, trigger memory corruption and force the proxy to deliver up to 4KB of Squid allocated heap memory to the client.


Remediation

Install update from vendor's website.

References