1) CVE-2019-12519 / CVE-2019-12521 Description: "These problems allow a remote server delivering certain ESI response syntax to trigger a buffer overflow. .... The CVE-2019-12519 issue also overwrites arbitrary attacker controlled information onto the process stack. Allowing remote code execution with certain crafted ESI payloads. These problems are restricted to ESI responses received from an upstream server. Attackers have to compromise the server or transmission channel to utilize these vulnerabilities." Advisory: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000115.html 2) CVE-2019-18679 See bug 699854. Description: "The initial patch for this vulnerability significantly hardened against attacks. However it was still possible for an attacker to gain information over time about a Squid instance. This release completely removes that possibility." 3) CVE-2020-11945 Description: "Due to an integer overflow bug Squid is vulnerable to credential replay and remote code execution attacks against HTTP Digest Authentication tokens." Advisory: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000114.html ---- Announce: http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000112.html
A copy of 4.10 builds and runs fine.
Unable to check for sanity: > no match for package: net-proxy/squid-4.12
All sanity-check issues have been resolved
x86 stable
arm stable
amd64 stable
ppc64 stable
This issue was resolved and addressed in GLSA 202005-05 at https://security.gentoo.org/glsa/202005-05 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
ppc stable. Maintainer(s), please cleanup.
