51699 – squid3: Multiple issues (4.4)

Bug 51699 - squid3: Multiple issues (4.4)

Summary: squid3: Multiple issues (4.4)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	UCS 4.4-5-errata
Assignee:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-07-22 14:33 CEST by Quality Assurance
Modified:	2020-08-31 08:28 CEST (History)
CC List:	0 users

See Also:	49600
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:	8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2020-07-22 14:33:44 CEST

New Debian squid3 3.5.23-5+deb9u2A~4.4.5.202007221413 fixes:
This update addresses the following issues:
* Memory leak in SNMP query rejection code (CVE-2018-19132)
* improper check for new member in ESIExpression::Evaluate allows for stack  buffer overflow (CVE-2019-12519)
* improper input validation in request allows for proxy manipulation  (CVE-2019-12520)
* off-by-one error in addStackElement allows for a heap buffer overflow and a  crash (CVE-2019-12521)
* Improper input validation in URI processor (CVE-2019-12523)
* improper access restriction in url_regex may lead to security bypass  (CVE-2019-12524)
* parsing of header Proxy-Authentication leads to memory corruption  (CVE-2019-12525)
* Heap overflow issue in URN processing (CVE-2019-12526)
* Information Disclosure issue in FTP Gateway (CVE-2019-12528)
* information disclosure in Proxy-Authorization header (CVE-2019-12529)
* CVe-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi  (CVE-2019-13345)
* Buffer overflow in URI processor (CVE-2019-18676)
* Cross-Site Request Forgery issue in HTTP Request processing  (CVE-2019-18677)
* HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678)
* Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)
* mishandles HTML in the host parameter to cachemgr.cgi which could result in  squid behaving in unsecure way (CVE-2019-18860)
* Improper input validation issues in HTTP Request processing (CVE-2020-8449)
* Buffer overflow in a Squid acting as reverse-proxy (CVE-2020-8450)
* improper access restriction upon Digest Authentication nonce replay could  lead to remote code execution (CVE-2020-11945)

Comment 1 Quality Assurance

2020-07-23 16:32:44 CEST

--- mirror/ftp/4.3/unmaintained/4.3-3/source/squid3_3.5.23-5+deb9u1A~4.3.0.201810151142.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/squid3_3.5.23-5+deb9u2A~4.4.5.202007221413.dsc
@@ -1,9 +1,19 @@
-3.5.23-5+deb9u1A~4.3.0.201810151142 [Mon, 15 Oct 2018 11:42:35 +0200] Univention builddaemon <buildd@univention.de>:
+3.5.23-5+deb9u2A~4.4.5.202007221413 [Wed, 22 Jul 2020 14:33:57 +0200] Univention builddaemon <buildd@univention.de>:
 
-  * UCS auto build. The following patches have been applied to the original source package
-    001-enable-ssl
-    005-squid-4-14311
-    006-postinst
+  * UCS auto build. No patches were applied to the original source package
+
+3.5.23-5+deb9u2 [Fri, 10 Jul 2020 21:58:09 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2018-19132, CVE-2019-12519, CVE-2019-12520, CVE-2019-12521,
+    CVE-2019-12523, CVE-2019-12524, CVE-2019-12525, CVE-2019-12526,
+    CVE-2019-12528, CVE-2019-12529, CVE-2019-13345, CVE-2019-18676,
+    CVE-2019-18677, CVE-2019-18678, CVE-2019-18679, CVE-2019-18860,
+    CVE-2020-11945, CVE-2020-8449 and CVE-2020-8450.
+    Several security vulnerabilites were discovered in squid3.
+    Due to incorrect input validation and URL request handling it was possible
+    to bypass access restrictions which allowed access to restricted HTTP
+    servers and to cause a denial-of-service.
 
 3.5.23-5+deb9u1 [Sun, 11 Feb 2018 22:00:18 +0100] Salvatore Bonaccorso <carnil@debian.org>:
 

<http://10.200.17.11/4.4-5/#8624552597215606352>

Comment 2 Philipp Hahn

2020-07-23 17:20:18 CEST

Patches again missing due to Bug #49600

r19110 | Bug #51699: squid3 3.5.23-5+deb9u2

Package: squid3
Version: 3.5.23-5+deb9u2A~4.4.5.202007221413
Branch: ucs_4.4-0-errata4.4-5
Scope: errata4.4-5

Comment 3 Philipp Hahn

2020-07-24 05:55:14 CEST

Package: squid3
Version: 3.5.23-5+deb9u2A~4.4.5.202007231723
Branch: ucs_4.4-0
Scope: errata4.4-5

Comment 4 Quality Assurance

2020-07-24 06:00:30 CEST

--- mirror/ftp/4.3/unmaintained/4.3-3/source/squid3_3.5.23-5+deb9u1A~4.3.0.201810151142.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/squid3_3.5.23-5+deb9u2A~4.4.5.202007231723.dsc
@@ -1,9 +1,22 @@
-3.5.23-5+deb9u1A~4.3.0.201810151142 [Mon, 15 Oct 2018 11:42:35 +0200] Univention builddaemon <buildd@univention.de>:
+3.5.23-5+deb9u2A~4.4.5.202007231723 [Thu, 23 Jul 2020 17:23:15 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     001-enable-ssl
     005-squid-4-14311
     006-postinst
+
+3.5.23-5+deb9u2 [Fri, 10 Jul 2020 21:58:09 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2018-19132, CVE-2019-12519, CVE-2019-12520, CVE-2019-12521,
+    CVE-2019-12523, CVE-2019-12524, CVE-2019-12525, CVE-2019-12526,
+    CVE-2019-12528, CVE-2019-12529, CVE-2019-13345, CVE-2019-18676,
+    CVE-2019-18677, CVE-2019-18678, CVE-2019-18679, CVE-2019-18860,
+    CVE-2020-11945, CVE-2020-8449 and CVE-2020-8450.
+    Several security vulnerabilites were discovered in squid3.
+    Due to incorrect input validation and URL request handling it was possible
+    to bypass access restrictions which allowed access to restricted HTTP
+    servers and to cause a denial-of-service.
 
 3.5.23-5+deb9u1 [Sun, 11 Feb 2018 22:00:18 +0100] Salvatore Bonaccorso <carnil@debian.org>:
 

<http://10.200.17.11/4.4-5/#3032204077381175465>

Comment 5 Philipp Hahn

2020-07-24 06:13:30 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-5] de4c25b444 Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007231723
 doc/errata/staging/squid3.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[4.4-5] 810253f53d Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007221413
 doc/errata/staging/squid3.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[4.4-5] 56a1b91995 Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007221413
 doc/errata/staging/squid3.yaml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

[4.4-5] 3bf1d6f4c2 Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007221413
 doc/errata/staging/squid3.yaml | 57 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

Comment 6 Erik Damrose

2020-07-29 16:50:34 CEST

<https://errata.software-univention.de/#/?erratum=4.4x675>