Lucene search

DebianDEBIAN:DLA-1858-1:1A45F

HistoryJul 20, 2019 - 11:09 p.m.

[SECURITY] [DLA 1858-1] squid3 security update

2019-07-2023:09:33

lists.debian.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

Low

EPSS

0.125

Percentile

95.5%

JSON

Package : squid3
Version : 3.4.8-6+deb8u8
CVE ID : CVE-2019-12525 CVE-2019-12529

Squid, a high-performance proxy caching server for web clients, has been
found vulnerable to denial of service attacks associated with HTTP
authentication header processing.

CVE-2019-12525

Due to incorrect buffer management Squid is vulnerable to a denial
of service attack when processing HTTP Digest Authentication
credentials.

Due to incorrect input validation the HTTP Request header parser for
Digest authentication may access memory outside the allocated memory
buffer.

On systems with memory access protections this can result in the
Squid process being terminated unexpectedly. Resulting in a denial
of service for all clients using the proxy.

CVE-2019-12529

Due to incorrect buffer management Squid is vulnerable to a denial
of service attack when processing HTTP Basic Authentication
credentials.

Due to incorrect string termination the Basic authentication
credentials decoder may access memory outside the decode buffer.

On systems with memory access protections this can result in the
Squid process being terminated unexpectedly. Resulting in a denial
of service for all clients using the proxy.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.8-6+deb8u8.

We recommend that you upgrade your squid3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian10mipselsquid< 4.6-1+deb10u1squid_4.6-1+deb10u1_mipsel.deb
Debian10ppc64elsquid< 4.6-1+deb10u1squid_4.6-1+deb10u1_ppc64el.deb
Debian10allsquid3< 4.6-1+deb10u1squid3_4.6-1+deb10u1_all.deb
Debian10armelsquidclient< 4.6-1+deb10u1squidclient_4.6-1+deb10u1_armel.deb
Debian9amd64squidclient< 3.5.23-5+deb9u2squidclient_3.5.23-5+deb9u2_amd64.deb
Debian10armhfsquid< 4.6-1+deb10u1squid_4.6-1+deb10u1_armhf.deb
Debian10mipselsquid-purge-dbgsym< 4.6-1+deb10u1squid-purge-dbgsym_4.6-1+deb10u1_mipsel.deb
Debian10armelsquidclient-dbgsym< 4.6-1+deb10u1squidclient-dbgsym_4.6-1+deb10u1_armel.deb
Debian10i386squidclient-dbgsym< 4.6-1+deb10u1squidclient-dbgsym_4.6-1+deb10u1_i386.deb
Debian8allsquid3< 3.4.8-6+deb8u8squid3_3.4.8-6+deb8u8_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	mipsel	squid	< 4.6-1+deb10u1	squid_4.6-1+deb10u1_mipsel.deb
Debian	10	ppc64el	squid	< 4.6-1+deb10u1	squid_4.6-1+deb10u1_ppc64el.deb
Debian	10	all	squid3	< 4.6-1+deb10u1	squid3_4.6-1+deb10u1_all.deb
Debian	10	armel	squidclient	< 4.6-1+deb10u1	squidclient_4.6-1+deb10u1_armel.deb
Debian	9	amd64	squidclient	< 3.5.23-5+deb9u2	squidclient_3.5.23-5+deb9u2_amd64.deb
Debian	10	armhf	squid	< 4.6-1+deb10u1	squid_4.6-1+deb10u1_armhf.deb
Debian	10	mipsel	squid-purge-dbgsym	< 4.6-1+deb10u1	squid-purge-dbgsym_4.6-1+deb10u1_mipsel.deb
Debian	10	armel	squidclient-dbgsym	< 4.6-1+deb10u1	squidclient-dbgsym_4.6-1+deb10u1_armel.deb
Debian	10	i386	squidclient-dbgsym	< 4.6-1+deb10u1	squidclient-dbgsym_4.6-1+deb10u1_i386.deb
Debian	8	all	squid3	< 3.4.8-6+deb8u8	squid3_3.4.8-6+deb8u8_all.deb