Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Ubuntu 19.10, USN-4289-1: Squid Security Issues Lead To DoS

ubuntu
Calendar Grey February 20, 2020
Dist Ubuntu Esm H88
Numerous vulnerabilities addressed in Squid through Ubuntu Security Notice USN-4289-2. Upgrade promptly to maintain your security.
Several security issues were fixed in Squid.

Summary

Several security issues were fixed in Squid.

Software Description:

- squid: Web proxy cache server

- squid3: Web proxy cache server

Details:

Jeriko One discovered that Squid incorrectly handled memory when connected

to an FTP server. A remote attacker could possibly use this issue to obtain

sensitive information from Squid memory. (CVE-2019-12528)

Regis Leroy discovered that Squid incorrectly handled certain HTTP

requests. A remote attacker could possibly use this issue to access server

resources prohibited by earlier security filters. (CVE-2020-8449)

Guido Vranken discovered that Squid incorrectly handled certain buffer

operations when acting as a reverse proxy. A remote attacker could use

this issue to cause Squid to crash, resulting in a denial of service, or

possibly execute arbitrary code. (CVE-2020-8450)

Aaron Costello discovered that Squid incorrectly handled certain NTLM

authentication credentials. A remote attacker could possibly use this issue

...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.10:
  squid                           4.8-1ubuntu2.2

Ubuntu 18.04 LTS:
  squid                           3.5.27-1ubuntu1.5

Ubuntu 16.04 LTS:
  squid                           3.5.12-1ubuntu7.10

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4289-1

CVE-2019-12528, CVE-2020-8449, CVE-2020-8450, CVE-2020-8517

Severity
important
Lowest
Low
Medium
High
Critical

February 20, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here