Bugzilla – Bug 1156326
VUL-0: CVE-2019-12526: squid,squid3: possible remote code execution attack when processing URN
Last modified: 2024-12-18 15:51:23 UTC
Problem Description: Due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing URN. __________________________________________________________________ Severity: This allows a malicious client to write a substantial amount of arbitrary data to the heap. Potentially gaining ability to execute arbitrary code. On systems with memory access protections this can result in the Squid process being terminated unexpectedly. Resulting in a denial of service for all clients using the proxy. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 4.9. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 4: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x are not vulnerable. All Squid-3.x up to and including 3.5.28 are vulnerable. All Squid-4.x up to and including 4.8 are vulnerable. __________________________________________________________________ Workarounds: Deny urn: protocol URI being proxied to all clients: acl URN proto URN http_access deny URN http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
This is an autogenerated message for OBS integration: This bug (1156326) was mentioned in https://build.opensuse.org/request/show/746661 Factory / squid
SUSE-SU-2019:2975-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): squid-4.9-5.11.1 SUSE Linux Enterprise Module for Server Applications 15 (src): squid-4.9-5.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2540-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688 Sources used: openSUSE Leap 15.0 (src): squid-4.9-lp150.13.1
openSUSE-SU-2019:2541-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1133089,1140738,1141329,1141330,1141332,1141442,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12525,CVE-2019-12526,CVE-2019-12527,CVE-2019-12529,CVE-2019-12854,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-3688 Sources used: openSUSE Leap 15.1 (src): squid-4.9-lp151.2.7.1
SUSE-SU-2019:3067-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1140738,1156323,1156324,1156326,1156328,1156329 CVE References: CVE-2019-12523,CVE-2019-12526,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): squid-4.9-4.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0661-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691 CVE References: CVE-2019-12523,CVE-2019-12526,CVE-2019-12528,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): squid-3.5.21-26.20.1 SUSE OpenStack Cloud 8 (src): squid-3.5.21-26.20.1 SUSE OpenStack Cloud 7 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP4 (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): squid-3.5.21-26.20.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): squid-3.5.21-26.20.1 SUSE Enterprise Storage 5 (src): squid-3.5.21-26.20.1 HPE Helion Openstack 8 (src): squid-3.5.21-26.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14460-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1140738,1141329,1141332,1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691,1167373,1169659,1170313,1170423,1173304,1173455 CVE References: CVE-2019-12519,CVE-2019-12520,CVE-2019-12521,CVE-2019-12523,CVE-2019-12524,CVE-2019-12525,CVE-2019-12526,CVE-2019-12528,CVE-2019-12529,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-18860,CVE-2020-11945,CVE-2020-14059,CVE-2020-15049,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): squid3-3.1.23-8.16.37.12.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): squid3-3.1.23-8.16.37.12.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): squid3-3.1.23-8.16.37.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.