Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2363.2 squid3 security update 14 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: squid3 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-11945 CVE-2020-8450 CVE-2020-8449 CVE-2019-18860 CVE-2019-18679 CVE-2019-18678 CVE-2019-18677 CVE-2019-18676 CVE-2019-13345 CVE-2019-12529 CVE-2019-12528 CVE-2019-12526 CVE-2019-12525 CVE-2019-12524 CVE-2019-12523 CVE-2019-12521 CVE-2019-12520 CVE-2019-12519 CVE-2018-19132 Reference: ESB-2020.1736.2 ESB-2020.1420 ESB-2020.1371 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2278-2 https://www.debian.org/lts/security/2020/dla-2278 Comment: This bulletin contains two (2) Debian security advisories. Revision History: August 14 2020: The original update contained an incomplete fix. A new update has been issued. July 13 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2278-2 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 13, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : squid3 Version : 3.5.23-5+deb9u3 Debian Bug : 965012 The update of squid3 released as DLA-2278-1 contained an incomplete fix for CVE-2019-12523 that prevented services which rely on the icap or ecap protocol to function properly. Updated squid3 packages are now available to correct this issue. In addition the patch for CVE-2019-12529 was improved to use more code from Debian's cryptographic nettle library. For Debian 9 stretch, this problem has been fixed in version 3.5.23-5+deb9u3. We recommend that you upgrade your squid3 packages. For the detailed security status of squid3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl81pbNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRR+RAAvLUYAKcd8xGeRqcKLLWvbutYwpZ8Go9mctIK6dA6q3M1DqRBIT+l+cmK RE+y7bzQ5UCogrJ87ppQzIhKg6cb8BGyrNhQ3Ll/mYfcrNct87rnM+sJyoxsQWyB XD5KBY17/tFq0JO0aGRT4A/fS02CXh3VxGploRbWb/InH9eJyQZa1K0868UYVfPS 3lLNxnpudm54N0agnaquEKbMcbzZjggtY8YAJysklj06VMqUWRRHEM07NAZwlLbB xY/E95t6DapzmYDuGOIvj5oOCNfBb4PhYyv3Y1pgwqhnYYpZ/YIh249TypsP1idv pdeVaxGChFLI+pwpQGAV4rub7Rwrn9+U6pths2fAHWbivsTNk0d0wDp27+KX+CLZ DM2EDoRlaltiGT/Q2C1c9R4eMg7y8ZTaF6pDa+ebURGgKqpnWxW0L8M46T8FcCbV g2cwsgvgMw0VQxaW+ct+VOukyPQztb20NhUpv74WjEi463KNS0S8REUqn1IcopDa hIcY4EIzKdcPaW6TY+/CjjOwdQRyigRVf08d//xZYL0Hfoorkc1NFvjlPHlD/qst rNyxna5PC4WVMw/TMqrdXBux8ONu6CC8MMMuyZMOPfpqjZXIatqPyIK0xeMDLN0e s7PGCHmbx63pdA6SsTfCpii9w1agHo/zlLbqjJ1WBsryrIW+Ssw= =SOgs - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2278-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 10, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : squid3 Version : 3.5.23-5+deb9u2 CVE ID : CVE-2018-19132 CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12525 CVE-2019-12526 CVE-2019-12528 CVE-2019-12529 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860 CVE-2020-8449 CVE-2020-8450 CVE-2020-11945 Debian Bug : 950802 931478 950925 912294 It was found that Squid, a high-performance proxy caching server for web clients, has been affected by multiple security vulnerabilities. Due to incorrect input validation and URL request handling it was possible to bypass access restrictions for restricted HTTP servers and to cause a denial-of-service. For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u2. We recommend that you upgrade your squid3 packages. For the detailed security status of squid3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8I48xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQWfg//YDRw9Ddr959CHGG2Cd9uTVmpkPPRWpPxJF5hXJYmg08CT/odlBUlx/wa rAQOim9b/Aj15v49MHndQ4+r/c0XCKbZXCs51SM2z5VWsfNmcZmQZm+FWCcakOwy JiTgbrt4wN2fHJhM5sRlXxPpeYLFhML/3bZrHqnn5jv1vs89D2MrVOX3xEW+4h1Z NkZl1UTQwtIevR3AU/nLXKDr5uAA42kxrsXQIN7s6dQU20e9VIRkz7rzf83VJDve xjqK2+D2Rxvb7ULBy+jRYE/vUfgoMfsf83OFgMCYnUXEHPuatMorw2NaEo6g7v+s d7IQDuqbg3mk8zJMkcPn+x7n9q/8dAxFTZRx4x7MTCtXQgcn/HqVmlzwm9LdeDJu 6JncyuBsW94RQhSRVKMKLwKhX3oEpyPe7iopDJCtYErZMAuwBNiWvUqoWrXbJn8S /RwyIrkkJGslBvLxwEdqIvfWlsYA+VVzjR0zmPDkmFVhQVDaCnbArbJisdwqLU4p 9GU6jsc1GC8rO8Mzg1pFb/ceVSdAiiyIrw38gSWBLGNvhhSudUJtx+vzPGvaBrLy cLLyuBCULlzq2XLQQ7GJHcObO9/ehGwyRnQ7oA8ii7Z8clwnK58hsQocI3zCLTMK qgPW2oDpr29oXdldI4CRwq6SYSjeLipWlxbhvEe3/eeporj/630= =1mQE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBXzXxWuNLKJtyKPYoAQjzKQ/3SlFDBruW4DP9k1k5vpAdSi8d7F+8FZco 7RyrbMhqqYsiLN0zg/1fd04VSfFF2k5PWFBT0cL9UQ/iEXCJTj3tPPdr/s71b4OL TCbvGwLCnbBsMk5RwAJKXX742qUInrq0aWYBxskprUdtaGhTVxgYwmMl7Y5sI40v noLUBw2x5g4aKehoB4hIAKUp5paws3YVIBUM4ECdK8svHzN9hI1w1IZ1G30kKBCy 8VPbQpfMIwJ8aqP0aK6HxU+V06OO5MHpwqggCN43nYjSrZ+1Mlg8qv1yoUbLksCv cCmzOf2zEw7pPjlvK+wsvWOFaulqrcDo68tchluiTnExO1Fprs7L6LPbS2ELhHz+ 5esziZ+aiZn8JCSZ8Isb2NgKQU0D1jQySAXRcxwGkmKMB+mSt/t6Lev8gqqAckhA dSUzzI8Kr633tB7mdBBg5+IzZeCjHtYVEywugzKwqe6wx/71TJ7vEVY2aBm8ALUk TiJ8lgyXsz29jQ3/FerbEzSsF8ANi5ipcmD83aw9ti0zR6bkwIJC8JaZ0xm/Uubo XRZpG5vG7IGfavqP0BU70O9lC6CuiVIcNYKfNJVqm1TBvHMqTkWQdZx12kxxnD8m pWN+LB+dscCGmJ7uliqe4FN0CFrl8WvCaEpN0qtKbGoxP40K2IkNe00Abk3XpCNU JsHapR2H2A== =ryiP -----END PGP SIGNATURE-----