Arch Linux 811 Published by

Updated squid packages has been released for Arch Linux to address three vulnerabilities, including arbitrary code execution, content spoofing and information disclosure.



Arch Linux Security Advisory ASA-201911-8
=========================================

Severity: Critical
Date : 2019-11-07
CVE-ID : CVE-2019-12526 CVE-2019-18678 CVE-2019-18679
Package : squid
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1062

Summary
=======

The package squid before version 4.9-1 is vulnerable to multiple issues
including arbitrary code execution, content spoofing and information
disclosure.

Resolution
==========

Upgrade to 4.9-1.

# pacman -Syu "squid>=4.9-1"

The problems have been fixed upstream in version 4.9.

Workaround
==========

- CVE-2019-12526

Deny urn: protocol URI being proxied to all clients:

acl URN proto URN
http_access deny URN

- CVE-2019-18678

There are no workarounds for this vulnerability.

- CVE-2019-18679

Digest authentication can be disabled by removing all 'auth_param
digest ...' configuration settings from squid.conf.

Description
===========

- CVE-2019-12526 (arbitrary code execution)

A heap-based buffer overflow has been found in Squid before 4.9, when
processing URN.

- CVE-2019-18678 (content spoofing)

A HTTP request splitting issue has been found in Squid before 4.9. This
issue allows attackers to smuggle HTTP requests through frontend
software to a Squid which splits the HTTP Request pipeline differently.
The resulting Response messages corrupt caches between client and Squid
with attacker controlled content at arbitrary URLs.

- CVE-2019-18679 (information disclosure)

An information disclosure issue has been found in Squid before 4.9,
when processing HTTP Digest Authentication. The nonce tokens contain
the raw byte value of a pointer which sits within heap memory
allocation, which reduces ASLR protections and may aid attackers
isolating memory areas to target for remote code execution attacks.

Impact
======

A remote attacker might access sensitive information, corrupt the
content of arbitrary URLs in the caches or execute arbitrary code.

References
==========

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patc
https://security.archlinux.org/CVE-2019-12526
https://security.archlinux.org/CVE-2019-18678
https://security.archlinux.org/CVE-2019-18679