Bugzilla – Bug 1113669
VUL-0: CVE-2018-19132: squid: small memory leak in processing of SNMP packets
Last modified: 2022-10-13 13:49:26 UTC
* A small memory leak (CWE-400, CWE-401, CWE-772) in processing of SNMP packets can be abused by remote attackers to consume large amounts of memory over a short time. Under testing this lead to Squid crashing and direct denial of service to clients using the proxy. Also, in Linux environments with default virtual memory allocation policies it lead to complete consumption of the machines available memory and denial of service to other applications using the same server. In these latter situations a hard restart of the server may be necessary to recover. Affected versions: Squid 3.2.0.10 -> 3.5.28 Squid 4.x -> 4.3 Squid 3.2.0.9 and older (including Squid-2.x) are not vulnerable. This issue is limited to Squid receiving SNMP traffic. So builds using --disable-snmp are not at all vulnerable. Builds not configured to receive SNMP (default, absent, or '0' values for snmp_port) are not immediately vulnerable, but may becomes so with simple configuration changes. The patch for Squid-3.5 should apply relatively cleanly to all v3.x affected versions. <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch> <http://www.squid-cache.org/Advisories/SQUID-2018_5.txt>
Fixes ready, pending CVE numbers.
Requested CVE Mitre, let's see if they are willing to assign one for this, since nothing is happening on the DWF front.
Mitre has assigned CVE-2018-19132 for this.
Fixes submitted to all affected codestreams. Reassigning to security team
SUSE-SU-2018:3771-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1082318,1112066,1112695,1113668,1113669 CVE References: CVE-2018-19131,CVE-2018-19132 Sources used: SUSE Linux Enterprise Server 12-SP3 (src): squid-3.5.21-26.12.1
SUSE-SU-2018:3786-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1082318,1112066,1112695,1113668,1113669 CVE References: CVE-2018-19131,CVE-2018-19132 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): squid-4.4-5.3.2
openSUSE-SU-2018:3818-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1082318,1112066,1112695,1113668,1113669 CVE References: CVE-2018-19131,CVE-2018-19132 Sources used: openSUSE Leap 15.0 (src): squid-4.4-lp150.4.3.2
openSUSE-SU-2018:3825-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1082318,1112066,1112695,1113668,1113669 CVE References: CVE-2018-19131,CVE-2018-19132 Sources used: openSUSE Leap 42.3 (src): squid-3.5.21-18.1
SUSE-SU-2018:3771-2: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1082318,1112066,1112695,1113668,1113669 CVE References: CVE-2018-19131,CVE-2018-19132 Sources used: SUSE Linux Enterprise Server 12-SP4 (src): squid-3.5.21-26.12.1
This is an autogenerated message for OBS integration: This bug (1113669) was mentioned in https://build.opensuse.org/request/show/701549 Factory / squid
SLE12 has reached its end-of-life. Resolved.