Stay Secure with the Latest Linux Advisories

security advisorysecurity updatesquid

Mageia: 2020-0332 Critical: Squid Denial of Service and Cache Issues

Due to use of a potentially dangerous function Squid and the default certificate validation helper are vulnerable to a Denial of Service attack when processing TLS certificates. This attack is limited to Squid built with OpenSSL features and opening peer or server connections for HTTPS traffic and SSL-Bump server handshakes (CVE-2020-14058). . MGASA-2020-0332 - Updated squid packages fix security vulnerability Publication date: 18 Aug 2020 URL: https://advisories.mageia.org/MGASA-2020-0332.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-14058, CVE-2020-14059 Due to use of a potentially dangerous function Squid and the default certificate validation helper are vulnerable to a Denial of Service attack when processing TLS certificates. This attack is limited to Squid built with OpenSSL features and opening peer or server connections for HTTPS traffic and SSL-Bump server handshakes (CVE-2020-14058). Due to incorrect input validation Squid is vulnerable to a Request Smuggling and Poisoning attack against the HTTP cache. This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. Most popular server software are not vulnerable to participation in this attack (CVE-2020-14059). References: - https://bugs.mageia.org/show_bug.cgi?id=26884 - http://www.squid-cache.org/Advisories/SQUID-2020_6.txt - https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5 - https://www.cve.org/CVERecord?id=CVE-2020-14058 - https://www.cve.org/CVERecord?id=CVE-2020-14059 SRPMS: - 7/core/squid-4.12-2.mga7 . Recent Mageia updates for Squid packages mitigate a Denial of Service vulnerability linked to TLS handling and cache exploitation.. Squid Update, Mageia Security, Denial Of Service, HTTP Cache Attack. . Severity: Critical. LinuxSecurity.com Team

Aug 18, 2020 •Critical Mageia