Bugzilla – Bug 1156323
VUL-0: CVE-2019-18678: squid,squid3: incorrect message parsing leads to HTTP request splitting issue
Last modified: 2024-12-18 15:51:17 UTC
Problem Description: Due to incorrect message parsing Squid is vulnerable to an HTTP request splitting issue. __________________________________________________________________ Severity: This issue allows attackers to smuggle HTTP requests through frontend software to a Squid which splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches between client and Squid with attacker controlled content at arbitrary URLs.. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor any upstream servers. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 4.9. In addition, a patch addressing this problem for the stable releases can be found in our patch archives: Squid 4: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x have not been checked. All Squid-3.x up to and including 3.5.28 are vulnerable. All Squid-4.x up to and including 4.8 are vulnerable. __________________________________________________________________ Workarounds: There are no workarounds for this vulnerability. http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
This is an autogenerated message for OBS integration: This bug (1156323) was mentioned in https://build.opensuse.org/request/show/746661 Factory / squid
SUSE-SU-2019:2975-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): squid-4.9-5.11.1 SUSE Linux Enterprise Module for Server Applications 15 (src): squid-4.9-5.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2540-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688 Sources used: openSUSE Leap 15.0 (src): squid-4.9-lp150.13.1
openSUSE-SU-2019:2541-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688 Sources used: openSUSE Leap 15.1 (src): squid-4.9-lp151.2.7.1
SUSE-SU-2019:3067-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1140738,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12526,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): squid-4.9-4.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0661-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691 CVE References: CVE-2019-12523,CVE-2019-12526,CVE-2019-12528,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): squid-3.5.21-26.20.1 SUSE OpenStack Cloud 8 (src): squid-3.5.21-26.20.1 SUSE OpenStack Cloud 7 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP4 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): squid-3.5.21-26.20.1 SUSE Enterprise Storage 5 (src): squid-3.5.21-26.20.1 HPE Helion Openstack 8 (src): squid-3.5.21-26.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14460-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1140738,1141329,1141332,1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691,1167373,1169659,1170313,1170423,1173304,1173455 CVE References: CVE-2019-12519,CVE-2019-12520,CVE-2019-12521,CVE-2019-12523,CVE-2019-12524,CVE-2019-12525,CVE-2019-12526,CVE-2019-12528,CVE-2019-12529,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-18860,CVE-2020-11945,CVE-2020-14059,CVE-2020-15049,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): squid3-3.1.23-8.16.37.12.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): squid3-3.1.23-8.16.37.12.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): squid3-3.1.23-8.16.37.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.