Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 719046 (CVE-2019-12519, CVE-2019-12521, CVE-2020-11945)

Summary: <net-proxy/squid-4.11: Multiple vulnerabilities (CVE-2019-{12519,12521}, CVE-2020-11945)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, zlogene
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000112.html
Whiteboard: B2 [glsa+ cve]
Package list:
net-proxy/squid-4.11 amd64 arm ppc ppc64 x86
Runtime testing required: ---
Bug Depends on: 719662    
Bug Blocks:    

Description Sam James archtester gentoo-dev Security 2020-04-23 13:24:11 UTC
1) CVE-2019-12519 / CVE-2019-12521

Description:
"These problems allow a remote server delivering certain ESI
response syntax to trigger a buffer overflow.

....

The CVE-2019-12519 issue also overwrites arbitrary attacker
controlled information onto the process stack. Allowing remote
code execution with certain crafted ESI payloads.

These problems are restricted to ESI responses received from an
upstream server. Attackers have to compromise the server or
transmission channel to utilize these vulnerabilities."

Advisory: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000115.html

2) CVE-2019-18679

See bug 699854.

Description:
"The initial patch for this vulnerability significantly hardened
against attacks. However it was still possible for an attacker
to gain information over time about a Squid instance.

This release completely removes that possibility."


3) CVE-2020-11945

Description:
"Due to an integer overflow bug Squid is vulnerable to credential
replay and remote code execution attacks against HTTP Digest
Authentication tokens."

Advisory: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000114.html

----
Announce: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000112.html
Comment 1 Tomáš Mózes 2020-04-24 04:27:51 UTC
A copy of 4.10 builds and runs fine.
Comment 2 NATTkA bot gentoo-dev 2020-04-24 10:56:25 UTC
Unable to check for sanity:

> no match for package: net-proxy/squid-4.12
Comment 3 NATTkA bot gentoo-dev 2020-04-24 11:00:28 UTC
All sanity-check issues have been resolved
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-26 14:17:46 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-26 14:19:24 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-26 15:29:46 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-26 15:31:57 UTC
ppc64 stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-05-12 23:41:45 UTC
This issue was resolved and addressed in
 GLSA 202005-05 at https://security.gentoo.org/glsa/202005-05
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-05-12 23:42:16 UTC
Re-opening for remaining architectures.
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-20 06:25:01 UTC
ppc stable.

Maintainer(s), please cleanup.