First Last Prev Next    This bug is not in your last search results.
Bug 1141329 - (CVE-2019-12529) VUL-1: CVE-2019-12529: squid, squid3: When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uu
(CVE-2019-12529)
VUL-1: CVE-2019-12529: squid, squid3: When Squid is configured to use Basic A...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/237008/
CVSSv3:SUSE:CVE-2019-12529:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-12 15:03 UTC by Marcus Meissner
Modified: 2022-10-18 09:31 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-07-12 15:03:00 UTC 
CVE-2019-12529

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28,
and 4.x through 4.7. When Squid is configured to use Basic Authentication, the
Proxy-Authorization header is parsed via uudecode. uudecode determines how many
bytes will be decoded by iterating over the input and checking its table. The
length is then used to start decoding the string. There are no checks to ensure
that the length it calculates isn't greater than the input buffer. This leads to
adjacent memory being decoded as well. An attacker would not be able to retrieve
the decoded data unless the Squid maintainer had configured the display of
usernames on error pages.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12529
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12529.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
http://www.squid-cache.org/Versions/v4/changesets/
http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch
https://github.com/squid-cache/squid/commits/v4
Comment 1 Swamp Workflow Management 2019-07-16 09:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1141329) was mentioned in
https://build.opensuse.org/request/show/715608 Factory / squid
Comment 5 Swamp Workflow Management 2019-07-16 16:30:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1141329) was mentioned in
https://build.opensuse.org/request/show/715745 Factory / squid
Comment 8 Swamp Workflow Management 2019-08-08 13:11:23 UTC 
SUSE-SU-2019:2089-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140738,1141329,1141332
CVE References: CVE-2019-12525,CVE-2019-12529,CVE-2019-13345
Sources used:
SUSE OpenStack Cloud 8 (src):    squid-3.5.21-26.17.1
SUSE OpenStack Cloud 7 (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server 12-SP4 (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    squid-3.5.21-26.17.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    squid-3.5.21-26.17.1
SUSE Enterprise Storage 5 (src):    squid-3.5.21-26.17.1
SUSE Enterprise Storage 4 (src):    squid-3.5.21-26.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-08-17 01:13:42 UTC 
SUSE-SU-2019:2089-2: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140738,1141329,1141332
CVE References: CVE-2019-12525,CVE-2019-12529,CVE-2019-13345
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    squid-3.5.21-26.17.1
SUSE Enterprise Storage 5 (src):    squid-3.5.21-26.17.1
HPE Helion Openstack 8 (src):    squid-3.5.21-26.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-11-14 20:14:32 UTC 
SUSE-SU-2019:2975-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329
CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    squid-4.9-5.11.1
SUSE Linux Enterprise Module for Server Applications 15 (src):    squid-4.9-5.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-11-21 17:17:24 UTC 
openSUSE-SU-2019:2540-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329
CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688
Sources used:
openSUSE Leap 15.0 (src):    squid-4.9-lp150.13.1
Comment 12 Swamp Workflow Management 2019-11-21 17:20:21 UTC 
openSUSE-SU-2019:2541-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329
CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688
Sources used:
openSUSE Leap 15.1 (src):    squid-4.9-lp151.2.7.1
Comment 14 Swamp Workflow Management 2020-08-24 16:13:41 UTC 
SUSE-SU-2020:14460-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1140738,1141329,1141332,1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691,1167373,1169659,1170313,1170423,1173304,1173455
CVE References: CVE-2019-12519,CVE-2019-12520,CVE-2019-12521,CVE-2019-12523,CVE-2019-12524,CVE-2019-12525,CVE-2019-12526,CVE-2019-12528,CVE-2019-12529,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-18860,CVE-2020-11945,CVE-2020-14059,CVE-2020-15049,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    squid3-3.1.23-8.16.37.12.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    squid3-3.1.23-8.16.37.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.37.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Adam Majer 2022-10-18 09:31:16 UTC 
Fixes should be submitted to all active codestreams. Reassigning to security-team.
First Last Prev Next    This bug is not in your last search results.