SUSE: 2020:14460-1 important: squid3
Summary
This update for squid3 fixes the following issues: - Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049, bsc#1173455) - Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659) - Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373) - Fixed a potential remote execution vulnerability when using HTTP Digest Authentication (CVE-2020-11945, bsc#1170313) - Fixed a potential ACL bypass, cache-bypass and cross-site scripting attack when processing invalid HTTP Request messages (CVE-2019-12520, CVE-2019-12524, bsc#1170423) - Fixed a potential denial of service when processing TLS certificates during HTTPS connections (CVE-2020-14059, bsc#1173304) - Fixed a potential denial of service associated with incorrect buffer management of HTTP Basic Authentication credentials (bsc#1141329, CVE-2019-12529) - Fixed an incorrect buffer management resulting in vulnerability to a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332, CVE-2019-12525) - Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738, CVE-2019-13345) - Fixed a potential code execution vulnerability (CVE-2019-12526, bsc#1156326) - Fixed HTTP Request Splitting in HTTP message processing and information disclosure in HTTP Digest Authentication (CVE-2019-18678, CVE-2019-18679, bsc#1156323, bsc#1156324) - Fixed a security issue allowing a remote client ability to cause use a buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449, CVE-2020-8450, bsc#1162687) - Fixed a security issue allowing for information disclosure in FTP gateway (CVE-2019-12528, bsc#1162689) - Fixed a security issue in ext_lm_group_acl when processing NTLM Authentication credentials. (CVE-2020-8517, bsc#1162691) - Fixed Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677, bsc#1156328) - Disable urn parsing and parsing of unknown schemes (bsc#1156329, CVE-2019-12523, CVE-2019-18676) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-squid3-14460=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-squid3-14460=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-squid3-14460=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): squid3-3.1.23-8.16.37.12.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): squid3-3.1.23-8.16.37.12.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): squid3-debuginfo-3.1.23-8.16.37.12.1 squid3-debugsource-3.1.23-8.16.37.12.1
References
#1140738 #1141329 #1141332 #1156323 #1156324
#1156326 #1156328 #1156329 #1162687 #1162689
#1162691 #1167373 #1169659 #1170313 #1170423
#1173304 #1173455
Cross- CVE-2019-12519 CVE-2019-12520 CVE-2019-12521
CVE-2019-12523 CVE-2019-12524 CVE-2019-12525
CVE-2019-12526 CVE-2019-12528 CVE-2019-12529
CVE-2019-13345 CVE-2019-18676 CVE-2019-18677
CVE-2019-18678 CVE-2019-18679 CVE-2019-18860
CVE-2020-11945 CVE-2020-14059 CVE-2020-15049
CVE-2020-8449 CVE-2020-8450 CVE-2020-8517
Affected Products:
SUSE Linux Enterprise Server 11-SP4-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP4
https://www.suse.com/security/cve/CVE-2019-12519.html
https://www.suse.com/security/cve/CVE-2019-12520.html
https://www.suse.com/security/cve/CVE-2019-12521.html
https://www.suse.com/security/cve/CVE-2019-12523.html
https://www.suse.com/security/cve/CVE-2019-12524.html
https://www.suse.com/security/cve/CVE-2019-12525.html
https://www.suse.com/security/cve/CVE-2019-12526.html
https://www.suse.com/security/cve/CVE-2019-12528.html
https://www.suse.com/security/cve/CVE-2019-12529.html
https://www.suse.com/security/cve/CVE-2019-13345.html
https://www.suse.com/security/cve/CVE-2019-18676.html
https://www.suse.com/security/cve/CVE-2019-18677.html
https://www.suse.com/security/cve/CVE-2019-18678.html
https://www.suse.com/security/cve/CVE-2019-18679.html
https://www.suse.com/security/cve/CVE-2019-18860.html
https://www.suse.com/security/cve/CVE-2020-11945.html
https://www.suse.com/security/cve/CVE-2020-14059.html
https://www.suse.com/security/cve/CVE-2020-15049.html
https://www.suse.com/security/cve/CVE-2020-8449.html
https://www.suse.com/security/cve/CVE-2020-8450.html
https://www.suse.com/security/cve/CVE-2020-8517.html
https://bugzilla.suse.com/1140738
https://bugzilla.suse.com/1141329
https://bugzilla.suse.com/1141332
https://bugzilla.suse.com/1156323
https://bugzilla.suse.com/1156324
https://bugzilla.suse.com/1156326
https://bugzilla.suse.com/1156328
https://bugzilla.suse.com/1156329
https://bugzilla.suse.com/1162687
https://bugzilla.suse.com/1162689
https://bugzilla.suse.com/1162691
https://bugzilla.suse.com/1167373
https://bugzilla.suse.com/1169659
https://bugzilla.suse.com/1170313
https://bugzilla.suse.com/1170423
https://bugzilla.suse.com/1173304
https://bugzilla.suse.com/1173455