1) CVE-2019-12519 / CVE-2019-12521
"These problems allow a remote server delivering certain ESI
response syntax to trigger a buffer overflow.
The CVE-2019-12519 issue also overwrites arbitrary attacker
controlled information onto the process stack. Allowing remote
code execution with certain crafted ESI payloads.
These problems are restricted to ESI responses received from an
upstream server. Attackers have to compromise the server or
transmission channel to utilize these vulnerabilities."
See bug 699854.
"The initial patch for this vulnerability significantly hardened
against attacks. However it was still possible for an attacker
to gain information over time about a Squid instance.
This release completely removes that possibility."
"Due to an integer overflow bug Squid is vulnerable to credential
replay and remote code execution attacks against HTTP Digest
A copy of 4.10 builds and runs fine.
Unable to check for sanity:
> no match for package: net-proxy/squid-4.12
All sanity-check issues have been resolved
This issue was resolved and addressed in
GLSA 202005-05 at https://security.gentoo.org/glsa/202005-05
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
Maintainer(s), please cleanup.