SUSE-SU-2020:14460-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-202014460-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:14460-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:14460-1
Related
Published
2020-08-24T12:06:51Z
Modified
2020-08-24T12:06:51Z
Summary
Security update for squid3
Details

This update for squid3 fixes the following issues:

  • Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049, bsc#1173455)
  • Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659)

  • Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373)

  • Fixed a potential remote execution vulnerability when using HTTP Digest Authentication (CVE-2020-11945, bsc#1170313)
  • Fixed a potential ACL bypass, cache-bypass and cross-site scripting attack when processing invalid HTTP Request messages (CVE-2019-12520, CVE-2019-12524, bsc#1170423)
  • Fixed a potential denial of service when processing TLS certificates during HTTPS connections (CVE-2020-14059, bsc#1173304)

  • Fixed a potential denial of service associated with incorrect buffer management of HTTP Basic Authentication credentials (bsc#1141329, CVE-2019-12529)

  • Fixed an incorrect buffer management resulting in vulnerability to a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332, CVE-2019-12525)
  • Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738, CVE-2019-13345)
  • Fixed a potential code execution vulnerability (CVE-2019-12526, bsc#1156326)
  • Fixed HTTP Request Splitting in HTTP message processing and information disclosure in HTTP Digest Authentication (CVE-2019-18678, CVE-2019-18679, bsc#1156323, bsc#1156324)
  • Fixed a security issue allowing a remote client ability to cause use a buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449, CVE-2020-8450, bsc#1162687)
  • Fixed a security issue allowing for information disclosure in FTP gateway (CVE-2019-12528, bsc#1162689)
  • Fixed a security issue in extlmgroup_acl when processing NTLM Authentication credentials. (CVE-2020-8517, bsc#1162691)

  • Fixed Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677, bsc#1156328)

  • Disable urn parsing and parsing of unknown schemes (bsc#1156329, CVE-2019-12523, CVE-2019-18676)

References

Affected packages

SUSE:Linux Enterprise Point of Sale 11 SP3 / squid3

Package

Name
squid3
Purl
purl:rpm/suse/squid3&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.23-8.16.37.12.1

Ecosystem specific

{
    "binaries": [
        {
            "squid3": "3.1.23-8.16.37.12.1"
        }
    ]
}

SUSE:Linux Enterprise Server 11 SP4-LTSS / squid3

Package

Name
squid3
Purl
purl:rpm/suse/squid3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.23-8.16.37.12.1

Ecosystem specific

{
    "binaries": [
        {
            "squid3": "3.1.23-8.16.37.12.1"
        }
    ]
}