SUSE-SU-2020:14460-1: important: Security update for squid3
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Aug 24 10:13:29 MDT 2020
SUSE Security Update: Security update for squid3
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:14460-1
Rating: important
References: #1140738 #1141329 #1141332 #1156323 #1156324
#1156326 #1156328 #1156329 #1162687 #1162689
#1162691 #1167373 #1169659 #1170313 #1170423
#1173304 #1173455
Cross-References: CVE-2019-12519 CVE-2019-12520 CVE-2019-12521
CVE-2019-12523 CVE-2019-12524 CVE-2019-12525
CVE-2019-12526 CVE-2019-12528 CVE-2019-12529
CVE-2019-13345 CVE-2019-18676 CVE-2019-18677
CVE-2019-18678 CVE-2019-18679 CVE-2019-18860
CVE-2020-11945 CVE-2020-14059 CVE-2020-15049
CVE-2020-8449 CVE-2020-8450 CVE-2020-8517
Affected Products:
SUSE Linux Enterprise Server 11-SP4-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________
An update that fixes 21 vulnerabilities is now available.
Description:
This update for squid3 fixes the following issues:
- Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049,
bsc#1173455)
- Fixed incorrect buffer handling that can result in cache poisoning,
remote execution, and denial of service attacks when processing ESI
responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659)
- Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373)
- Fixed a potential remote execution vulnerability when using HTTP Digest
Authentication (CVE-2020-11945, bsc#1170313)
- Fixed a potential ACL bypass, cache-bypass and cross-site scripting
attack when processing invalid HTTP Request messages (CVE-2019-12520,
CVE-2019-12524, bsc#1170423)
- Fixed a potential denial of service when processing TLS certificates
during HTTPS connections (CVE-2020-14059, bsc#1173304)
- Fixed a potential denial of service associated with incorrect buffer
management of HTTP Basic Authentication credentials (bsc#1141329,
CVE-2019-12529)
- Fixed an incorrect buffer management resulting in vulnerability to a
denial of service during processing of HTTP Digest Authentication
credentials (bsc#1141332, CVE-2019-12525)
- Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738,
CVE-2019-13345)
- Fixed a potential code execution vulnerability (CVE-2019-12526,
bsc#1156326)
- Fixed HTTP Request Splitting in HTTP message processing and information
disclosure in HTTP Digest Authentication (CVE-2019-18678,
CVE-2019-18679, bsc#1156323, bsc#1156324)
- Fixed a security issue allowing a remote client ability to cause use a
buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449,
CVE-2020-8450, bsc#1162687)
- Fixed a security issue allowing for information disclosure in FTP
gateway (CVE-2019-12528, bsc#1162689)
- Fixed a security issue in ext_lm_group_acl when processing NTLM
Authentication credentials. (CVE-2020-8517, bsc#1162691)
- Fixed Cross-Site Request Forgery in HTTP Request processing
(CVE-2019-18677, bsc#1156328)
- Disable urn parsing and parsing of unknown schemes (bsc#1156329,
CVE-2019-12523, CVE-2019-18676)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11-SP4-LTSS:
zypper in -t patch slessp4-squid3-14460=1
- SUSE Linux Enterprise Point of Sale 11-SP3:
zypper in -t patch sleposp3-squid3-14460=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-squid3-14460=1
Package List:
- SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):
squid3-3.1.23-8.16.37.12.1
- SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
squid3-3.1.23-8.16.37.12.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
squid3-debuginfo-3.1.23-8.16.37.12.1
squid3-debugsource-3.1.23-8.16.37.12.1
References:
https://www.suse.com/security/cve/CVE-2019-12519.html
https://www.suse.com/security/cve/CVE-2019-12520.html
https://www.suse.com/security/cve/CVE-2019-12521.html
https://www.suse.com/security/cve/CVE-2019-12523.html
https://www.suse.com/security/cve/CVE-2019-12524.html
https://www.suse.com/security/cve/CVE-2019-12525.html
https://www.suse.com/security/cve/CVE-2019-12526.html
https://www.suse.com/security/cve/CVE-2019-12528.html
https://www.suse.com/security/cve/CVE-2019-12529.html
https://www.suse.com/security/cve/CVE-2019-13345.html
https://www.suse.com/security/cve/CVE-2019-18676.html
https://www.suse.com/security/cve/CVE-2019-18677.html
https://www.suse.com/security/cve/CVE-2019-18678.html
https://www.suse.com/security/cve/CVE-2019-18679.html
https://www.suse.com/security/cve/CVE-2019-18860.html
https://www.suse.com/security/cve/CVE-2020-11945.html
https://www.suse.com/security/cve/CVE-2020-14059.html
https://www.suse.com/security/cve/CVE-2020-15049.html
https://www.suse.com/security/cve/CVE-2020-8449.html
https://www.suse.com/security/cve/CVE-2020-8450.html
https://www.suse.com/security/cve/CVE-2020-8517.html
https://bugzilla.suse.com/1140738
https://bugzilla.suse.com/1141329
https://bugzilla.suse.com/1141332
https://bugzilla.suse.com/1156323
https://bugzilla.suse.com/1156324
https://bugzilla.suse.com/1156326
https://bugzilla.suse.com/1156328
https://bugzilla.suse.com/1156329
https://bugzilla.suse.com/1162687
https://bugzilla.suse.com/1162689
https://bugzilla.suse.com/1162691
https://bugzilla.suse.com/1167373
https://bugzilla.suse.com/1169659
https://bugzilla.suse.com/1170313
https://bugzilla.suse.com/1170423
https://bugzilla.suse.com/1173304
https://bugzilla.suse.com/1173455
More information about the sle-security-updates
mailing list