SUSE-SU-2020:14460-1: important: Security update for squid3

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Aug 24 10:13:29 MDT 2020


   SUSE Security Update: Security update for squid3
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:14460-1
Rating:             important
References:         #1140738 #1141329 #1141332 #1156323 #1156324 
                    #1156326 #1156328 #1156329 #1162687 #1162689 
                    #1162691 #1167373 #1169659 #1170313 #1170423 
                    #1173304 #1173455 
Cross-References:   CVE-2019-12519 CVE-2019-12520 CVE-2019-12521
                    CVE-2019-12523 CVE-2019-12524 CVE-2019-12525
                    CVE-2019-12526 CVE-2019-12528 CVE-2019-12529
                    CVE-2019-13345 CVE-2019-18676 CVE-2019-18677
                    CVE-2019-18678 CVE-2019-18679 CVE-2019-18860
                    CVE-2020-11945 CVE-2020-14059 CVE-2020-15049
                    CVE-2020-8449 CVE-2020-8450 CVE-2020-8517
                   
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4-LTSS
                    SUSE Linux Enterprise Point of Sale 11-SP3
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that fixes 21 vulnerabilities is now available.

Description:

   This update for squid3 fixes the following issues:

   - Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049,
     bsc#1173455)
   - Fixed incorrect buffer handling that can result in cache poisoning,
     remote execution, and denial of service attacks when processing ESI
     responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659)

   - Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373)
   - Fixed a potential remote execution vulnerability when using HTTP Digest
     Authentication (CVE-2020-11945, bsc#1170313)
   - Fixed a potential ACL bypass, cache-bypass and cross-site scripting
     attack when processing invalid HTTP Request messages (CVE-2019-12520,
     CVE-2019-12524, bsc#1170423)
   - Fixed a potential denial of service when processing TLS certificates
     during HTTPS connections (CVE-2020-14059, bsc#1173304)

   - Fixed a potential denial of service associated with incorrect buffer
     management of HTTP Basic Authentication credentials (bsc#1141329,
     CVE-2019-12529)
   - Fixed an incorrect buffer management resulting in vulnerability to a
     denial of service during processing of HTTP Digest Authentication
     credentials (bsc#1141332, CVE-2019-12525)
   - Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738,
     CVE-2019-13345)
   - Fixed a potential code execution vulnerability (CVE-2019-12526,
     bsc#1156326)
   - Fixed HTTP Request Splitting in HTTP message processing and information
     disclosure in HTTP Digest Authentication (CVE-2019-18678,
     CVE-2019-18679, bsc#1156323, bsc#1156324)
   - Fixed a security issue allowing a remote client ability to cause use a
     buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449,
     CVE-2020-8450, bsc#1162687)
   - Fixed a security issue allowing for information disclosure in FTP
     gateway (CVE-2019-12528, bsc#1162689)
   - Fixed a security issue in ext_lm_group_acl when processing NTLM
     Authentication credentials. (CVE-2020-8517, bsc#1162691)

   - Fixed Cross-Site Request Forgery in HTTP Request processing
     (CVE-2019-18677, bsc#1156328)

   - Disable urn parsing and parsing of unknown schemes (bsc#1156329,
     CVE-2019-12523, CVE-2019-18676)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4-LTSS:

      zypper in -t patch slessp4-squid3-14460=1

   - SUSE Linux Enterprise Point of Sale 11-SP3:

      zypper in -t patch sleposp3-squid3-14460=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-squid3-14460=1



Package List:

   - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):

      squid3-3.1.23-8.16.37.12.1

   - SUSE Linux Enterprise Point of Sale 11-SP3 (i586):

      squid3-3.1.23-8.16.37.12.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):

      squid3-debuginfo-3.1.23-8.16.37.12.1
      squid3-debugsource-3.1.23-8.16.37.12.1


References:

   https://www.suse.com/security/cve/CVE-2019-12519.html
   https://www.suse.com/security/cve/CVE-2019-12520.html
   https://www.suse.com/security/cve/CVE-2019-12521.html
   https://www.suse.com/security/cve/CVE-2019-12523.html
   https://www.suse.com/security/cve/CVE-2019-12524.html
   https://www.suse.com/security/cve/CVE-2019-12525.html
   https://www.suse.com/security/cve/CVE-2019-12526.html
   https://www.suse.com/security/cve/CVE-2019-12528.html
   https://www.suse.com/security/cve/CVE-2019-12529.html
   https://www.suse.com/security/cve/CVE-2019-13345.html
   https://www.suse.com/security/cve/CVE-2019-18676.html
   https://www.suse.com/security/cve/CVE-2019-18677.html
   https://www.suse.com/security/cve/CVE-2019-18678.html
   https://www.suse.com/security/cve/CVE-2019-18679.html
   https://www.suse.com/security/cve/CVE-2019-18860.html
   https://www.suse.com/security/cve/CVE-2020-11945.html
   https://www.suse.com/security/cve/CVE-2020-14059.html
   https://www.suse.com/security/cve/CVE-2020-15049.html
   https://www.suse.com/security/cve/CVE-2020-8449.html
   https://www.suse.com/security/cve/CVE-2020-8450.html
   https://www.suse.com/security/cve/CVE-2020-8517.html
   https://bugzilla.suse.com/1140738
   https://bugzilla.suse.com/1141329
   https://bugzilla.suse.com/1141332
   https://bugzilla.suse.com/1156323
   https://bugzilla.suse.com/1156324
   https://bugzilla.suse.com/1156326
   https://bugzilla.suse.com/1156328
   https://bugzilla.suse.com/1156329
   https://bugzilla.suse.com/1162687
   https://bugzilla.suse.com/1162689
   https://bugzilla.suse.com/1162691
   https://bugzilla.suse.com/1167373
   https://bugzilla.suse.com/1169659
   https://bugzilla.suse.com/1170313
   https://bugzilla.suse.com/1170423
   https://bugzilla.suse.com/1173304
   https://bugzilla.suse.com/1173455



More information about the sle-updates mailing list