New Debian squid3 3.5.23-5+deb9u2A~4.4.5.202007221413 fixes: This update addresses the following issues: * Memory leak in SNMP query rejection code (CVE-2018-19132) * improper check for new member in ESIExpression::Evaluate allows for stack buffer overflow (CVE-2019-12519) * improper input validation in request allows for proxy manipulation (CVE-2019-12520) * off-by-one error in addStackElement allows for a heap buffer overflow and a crash (CVE-2019-12521) * Improper input validation in URI processor (CVE-2019-12523) * improper access restriction in url_regex may lead to security bypass (CVE-2019-12524) * parsing of header Proxy-Authentication leads to memory corruption (CVE-2019-12525) * Heap overflow issue in URN processing (CVE-2019-12526) * Information Disclosure issue in FTP Gateway (CVE-2019-12528) * information disclosure in Proxy-Authorization header (CVE-2019-12529) * CVe-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345) * Buffer overflow in URI processor (CVE-2019-18676) * Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677) * HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678) * Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679) * mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way (CVE-2019-18860) * Improper input validation issues in HTTP Request processing (CVE-2020-8449) * Buffer overflow in a Squid acting as reverse-proxy (CVE-2020-8450) * improper access restriction upon Digest Authentication nonce replay could lead to remote code execution (CVE-2020-11945)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/squid3_3.5.23-5+deb9u1A~4.3.0.201810151142.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/squid3_3.5.23-5+deb9u2A~4.4.5.202007221413.dsc @@ -1,9 +1,19 @@ -3.5.23-5+deb9u1A~4.3.0.201810151142 [Mon, 15 Oct 2018 11:42:35 +0200] Univention builddaemon <buildd@univention.de>: +3.5.23-5+deb9u2A~4.4.5.202007221413 [Wed, 22 Jul 2020 14:33:57 +0200] Univention builddaemon <buildd@univention.de>: - * UCS auto build. The following patches have been applied to the original source package - 001-enable-ssl - 005-squid-4-14311 - 006-postinst + * UCS auto build. No patches were applied to the original source package + +3.5.23-5+deb9u2 [Fri, 10 Jul 2020 21:58:09 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2018-19132, CVE-2019-12519, CVE-2019-12520, CVE-2019-12521, + CVE-2019-12523, CVE-2019-12524, CVE-2019-12525, CVE-2019-12526, + CVE-2019-12528, CVE-2019-12529, CVE-2019-13345, CVE-2019-18676, + CVE-2019-18677, CVE-2019-18678, CVE-2019-18679, CVE-2019-18860, + CVE-2020-11945, CVE-2020-8449 and CVE-2020-8450. + Several security vulnerabilites were discovered in squid3. + Due to incorrect input validation and URL request handling it was possible + to bypass access restrictions which allowed access to restricted HTTP + servers and to cause a denial-of-service. 3.5.23-5+deb9u1 [Sun, 11 Feb 2018 22:00:18 +0100] Salvatore Bonaccorso <carnil@debian.org>: <http://10.200.17.11/4.4-5/#8624552597215606352>
Patches again missing due to Bug #49600 r19110 | Bug #51699: squid3 3.5.23-5+deb9u2 Package: squid3 Version: 3.5.23-5+deb9u2A~4.4.5.202007221413 Branch: ucs_4.4-0-errata4.4-5 Scope: errata4.4-5
Package: squid3 Version: 3.5.23-5+deb9u2A~4.4.5.202007231723 Branch: ucs_4.4-0 Scope: errata4.4-5
--- mirror/ftp/4.3/unmaintained/4.3-3/source/squid3_3.5.23-5+deb9u1A~4.3.0.201810151142.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/squid3_3.5.23-5+deb9u2A~4.4.5.202007231723.dsc @@ -1,9 +1,22 @@ -3.5.23-5+deb9u1A~4.3.0.201810151142 [Mon, 15 Oct 2018 11:42:35 +0200] Univention builddaemon <buildd@univention.de>: +3.5.23-5+deb9u2A~4.4.5.202007231723 [Thu, 23 Jul 2020 17:23:15 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 001-enable-ssl 005-squid-4-14311 006-postinst + +3.5.23-5+deb9u2 [Fri, 10 Jul 2020 21:58:09 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2018-19132, CVE-2019-12519, CVE-2019-12520, CVE-2019-12521, + CVE-2019-12523, CVE-2019-12524, CVE-2019-12525, CVE-2019-12526, + CVE-2019-12528, CVE-2019-12529, CVE-2019-13345, CVE-2019-18676, + CVE-2019-18677, CVE-2019-18678, CVE-2019-18679, CVE-2019-18860, + CVE-2020-11945, CVE-2020-8449 and CVE-2020-8450. + Several security vulnerabilites were discovered in squid3. + Due to incorrect input validation and URL request handling it was possible + to bypass access restrictions which allowed access to restricted HTTP + servers and to cause a denial-of-service. 3.5.23-5+deb9u1 [Sun, 11 Feb 2018 22:00:18 +0100] Salvatore Bonaccorso <carnil@debian.org>: <http://10.200.17.11/4.4-5/#3032204077381175465>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-5] de4c25b444 Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007231723 doc/errata/staging/squid3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-5] 810253f53d Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007221413 doc/errata/staging/squid3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.4-5] 56a1b91995 Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007221413 doc/errata/staging/squid3.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) [4.4-5] 3bf1d6f4c2 Bug #51699: squid3 3.5.23-5+deb9u2A~4.4.5.202007221413 doc/errata/staging/squid3.yaml | 57 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x675>