Your submission was sent successfully! Close

CVE-2020-24606

Published: 24 August 2020

Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
squid
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (4.10-1ubuntu1.2)
groovy
Released (4.13-1ubuntu1)
hirsute
Released (4.13-1ubuntu1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

squid3
Launchpad, Ubuntu, Debian
bionic
Released (3.5.27-1ubuntu1.9)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Ignored
(end of ESM support, was needs-triage)
trusty Does not exist

upstream Needs triage

xenial
Released (3.5.12-1ubuntu7.15)