Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3871 squid:4 security, bug fix, and enhancement update 6 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: squid:4 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-24606 CVE-2020-15049 CVE-2020-14058 CVE-2020-8450 CVE-2020-8449 CVE-2019-18860 CVE-2019-18679 CVE-2019-18678 CVE-2019-18677 CVE-2019-18676 CVE-2019-12854 CVE-2019-12529 CVE-2019-12528 CVE-2019-12526 CVE-2019-12524 CVE-2019-12523 CVE-2019-12521 CVE-2019-12520 Reference: ESB-2020.3435 ESB-2020.3406 ESB-2020.3333 ESB-2020.3054 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4743 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: squid:4 security, bug fix, and enhancement update Advisory ID: RHSA-2020:4743-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4743 Issue date: 2020-11-03 CVE Names: CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12526 CVE-2019-12528 CVE-2019-12529 CVE-2019-12854 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860 CVE-2020-8449 CVE-2020-8450 CVE-2020-14058 CVE-2020-15049 CVE-2020-24606 ===================================================================== 1. Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467) Security Fix(es): * squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520) * squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521) * squid: Improper input validation in URI processor (CVE-2019-12523) * squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524) * squid: Heap overflow issue in URN processing (CVE-2019-12526) * squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528) * squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529) * squid: Denial of service in cachemgr.cgi (CVE-2019-12854) * squid: Buffer overflow in URI processor (CVE-2019-18676) * squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677) * squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678) * squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679) * squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860) * squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449) * squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450) * squid: DoS in TLS handshake (CVE-2020-14058) * squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049) * squid: Improper input validation could result in a DoS (CVE-2020-24606) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the squid service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1730523 - CVE-2019-12854 squid: Denial of service in cachemgr.cgi 1730528 - CVE-2019-12529 squid: Out of bounds read in Proxy-Authorization header causes DoS 1770349 - CVE-2019-18678 squid: HTTP Request Splitting issue in HTTP message processing 1770356 - CVE-2019-12526 squid: Heap overflow issue in URN processing 1770360 - CVE-2019-18679 squid: Information Disclosure issue in HTTP Digest Authentication 1770365 - CVE-2019-18677 squid: Cross-Site Request Forgery issue in HTTP Request processing 1770371 - CVE-2019-12523 squid: Improper input validation in URI processor 1770375 - CVE-2019-18676 squid: Buffer overflow in URI processor 1798534 - CVE-2019-12528 squid: Information Disclosure issue in FTP Gateway 1798540 - CVE-2020-8449 squid: Improper input validation issues in HTTP Request processing 1798552 - CVE-2020-8450 squid: Buffer overflow in reverse-proxy configurations 1817121 - CVE-2019-18860 squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour 1827558 - CVE-2019-12520 squid: Improper input validation in request allows for proxy manipulation 1827562 - CVE-2019-12521 squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash 1827570 - CVE-2019-12524 squid: Improper access restriction in url_regex may lead to security bypass 1852550 - CVE-2020-15049 squid: Request smuggling and poisoning attack against the HTTP cache 1852554 - CVE-2020-14058 squid: DoS in TLS handshake 1871705 - CVE-2020-24606 squid: Improper input validation could result in a DoS 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm squid-4.11-3.module+el8.3.0+7851+7808b5f9.src.rpm aarch64: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm squid-4.11-3.module+el8.3.0+7851+7808b5f9.aarch64.rpm squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.aarch64.rpm squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.aarch64.rpm ppc64le: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm squid-4.11-3.module+el8.3.0+7851+7808b5f9.ppc64le.rpm squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.ppc64le.rpm squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.ppc64le.rpm s390x: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm squid-4.11-3.module+el8.3.0+7851+7808b5f9.s390x.rpm squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.s390x.rpm squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.s390x.rpm x86_64: libecap-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm squid-4.11-3.module+el8.3.0+7851+7808b5f9.x86_64.rpm squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.x86_64.rpm squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-12520 https://access.redhat.com/security/cve/CVE-2019-12521 https://access.redhat.com/security/cve/CVE-2019-12523 https://access.redhat.com/security/cve/CVE-2019-12524 https://access.redhat.com/security/cve/CVE-2019-12526 https://access.redhat.com/security/cve/CVE-2019-12528 https://access.redhat.com/security/cve/CVE-2019-12529 https://access.redhat.com/security/cve/CVE-2019-12854 https://access.redhat.com/security/cve/CVE-2019-18676 https://access.redhat.com/security/cve/CVE-2019-18677 https://access.redhat.com/security/cve/CVE-2019-18678 https://access.redhat.com/security/cve/CVE-2019-18679 https://access.redhat.com/security/cve/CVE-2019-18860 https://access.redhat.com/security/cve/CVE-2020-8449 https://access.redhat.com/security/cve/CVE-2020-8450 https://access.redhat.com/security/cve/CVE-2020-14058 https://access.redhat.com/security/cve/CVE-2020-15049 https://access.redhat.com/security/cve/CVE-2020-24606 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6I3h9zjgjWX9erEAQhNiw/+MRjnmKzN6oLXLyuj4SD8RZKIRrFhTtYS Ugst/OEOA0zUrcbhKSQXIUpAx4IBZLaNQomuR8yjF9I9AfqRlc58LGt9uZB5ri5P fUnVIJ66pkua1gJbJzx9lgNMgc3tIGYcB+HYANxA7Lni/6O+95QqR3wBEdk7BxnU M5sZ576gupUInQk0zGsenu6MEhHvBgLqAC9gVdfhMxOK7y9mOqFVPRXvmaMddtPx jC/Ki9wzXqPv/u2t1BIHNYkdDecnj+roUN/OqHxs3G6K4u/VvVcquLNEhUDBGcTP 3j5a5GItOYarXfsRyZEUPjIpLYpzmzXEfvL5wkoXf88dD9emWiu0qfWhRVmar9jW ALix0RM7S36LjUpBULrlNT9iKVq+o4Az28t8uuv01ArepcdO4JDWbhv8/Qa/tWtI LQO0yWJW9PoEyIMyGbCblgNqI1aBS3mp+J00AC8xPJBS6A4nWCyX/Ybzxs77QyMp Jdo2vzRJSuGm3u13Sy8JLzw4ywm0C/VAsw8CPvdq2G3B0aRftGXOeN64kFxbq9zZ 5VC+nwPcTHaR0kV9JwRp+8uRweD4mWvFG/kl4opPPVzMaj2D70ET4TNJ3dC6Vubf NMwHadFfjtoMsoe9D/XXv0bHPKT/Xloe+L3/atAT3dyGIn6cDWMtA4+uDhsINcFH 7yISn9K9NGY= =lClE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6SjsuNLKJtyKPYoAQh1Zw//est4FDINb9zlXpj2MixpYLkY5a6S9qk4 +NiF/SZHL3lXhhs2Wguq1aPP9fsoq4GgkwoEBYzyPBKZqHQrLxU68VHuBtP9HGeg UmMWo18GFAkl0sLIREDrY6VckbPHHXQ8JbyYJ3oRjDmSLrJOLVaSHE12yFVzCL1d xAXysWsRRcQCHKvyRlvOEVNJbuUCVxVdEpZ8VSbhAXqxcRyUHCK/upLyLIydxmXP Ru7ZeLG5pRW7UrQmUNCBd4jXUQNEG1O6VQVz32LYpI81yESDT02miDvuXlKqR5o5 dpapdGvChKPk43pWD2qkWOCXJ44RRnjXXQxHj4mpul/vX5ZWY8Pns/jeSPAsUe5W ppjxfQxVA/H6gyZFzf0/8AsH+aVjsPvNAzi/funurwYnc38cm9PJLghaDQ84Ie2Y ymAWwTTEwsaCiYsdLPialXAAq+ycDlJHwRQ/LqveDji+CcoVL0sZgtrOtwASE5mw efGevvMciAn9xHvV1ZRfyN9P9vu9YGpOsnOl16zFS9h8dPAUWI36XgNWWUCdfIwI GgaR2uGabJ/pXOlSfafm9iNCcOaLwdESQcV3Ywcz9AftqtuV4DGYcJpB4qDbMPaa tyGN3/uDwM4w7pNFYuqNlISGOl+eHM3vr4eEwDfRGNiI9UxLDZRbr+j8yJaXeeNX gBaQB6dzD6Y= =zT0/ -----END PGP SIGNATURE-----