SUSE-SU-2020:14460-1: important: Security update for squid3

sle-security-updates at sle-security-updates at
Mon Aug 24 10:13:29 MDT 2020

   SUSE Security Update: Security update for squid3

Announcement ID:    SUSE-SU-2020:14460-1
Rating:             important
References:         #1140738 #1141329 #1141332 #1156323 #1156324 
                    #1156326 #1156328 #1156329 #1162687 #1162689 
                    #1162691 #1167373 #1169659 #1170313 #1170423 
                    #1173304 #1173455 
Cross-References:   CVE-2019-12519 CVE-2019-12520 CVE-2019-12521
                    CVE-2019-12523 CVE-2019-12524 CVE-2019-12525
                    CVE-2019-12526 CVE-2019-12528 CVE-2019-12529
                    CVE-2019-13345 CVE-2019-18676 CVE-2019-18677
                    CVE-2019-18678 CVE-2019-18679 CVE-2019-18860
                    CVE-2020-11945 CVE-2020-14059 CVE-2020-15049
                    CVE-2020-8449 CVE-2020-8450 CVE-2020-8517
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4-LTSS
                    SUSE Linux Enterprise Point of Sale 11-SP3
                    SUSE Linux Enterprise Debuginfo 11-SP4

   An update that fixes 21 vulnerabilities is now available.


   This update for squid3 fixes the following issues:

   - Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049,
   - Fixed incorrect buffer handling that can result in cache poisoning,
     remote execution, and denial of service attacks when processing ESI
     responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659)

   - Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373)
   - Fixed a potential remote execution vulnerability when using HTTP Digest
     Authentication (CVE-2020-11945, bsc#1170313)
   - Fixed a potential ACL bypass, cache-bypass and cross-site scripting
     attack when processing invalid HTTP Request messages (CVE-2019-12520,
     CVE-2019-12524, bsc#1170423)
   - Fixed a potential denial of service when processing TLS certificates
     during HTTPS connections (CVE-2020-14059, bsc#1173304)

   - Fixed a potential denial of service associated with incorrect buffer
     management of HTTP Basic Authentication credentials (bsc#1141329,
   - Fixed an incorrect buffer management resulting in vulnerability to a
     denial of service during processing of HTTP Digest Authentication
     credentials (bsc#1141332, CVE-2019-12525)
   - Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738,
   - Fixed a potential code execution vulnerability (CVE-2019-12526,
   - Fixed HTTP Request Splitting in HTTP message processing and information
     disclosure in HTTP Digest Authentication (CVE-2019-18678,
     CVE-2019-18679, bsc#1156323, bsc#1156324)
   - Fixed a security issue allowing a remote client ability to cause use a
     buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449,
     CVE-2020-8450, bsc#1162687)
   - Fixed a security issue allowing for information disclosure in FTP
     gateway (CVE-2019-12528, bsc#1162689)
   - Fixed a security issue in ext_lm_group_acl when processing NTLM
     Authentication credentials. (CVE-2020-8517, bsc#1162691)

   - Fixed Cross-Site Request Forgery in HTTP Request processing
     (CVE-2019-18677, bsc#1156328)

   - Disable urn parsing and parsing of unknown schemes (bsc#1156329,
     CVE-2019-12523, CVE-2019-18676)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4-LTSS:

      zypper in -t patch slessp4-squid3-14460=1

   - SUSE Linux Enterprise Point of Sale 11-SP3:

      zypper in -t patch sleposp3-squid3-14460=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-squid3-14460=1

Package List:

   - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):


   - SUSE Linux Enterprise Point of Sale 11-SP3 (i586):


   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):



More information about the sle-security-updates mailing list