Issued:
2020-11-03
Updated:
2020-11-03

RHSA-2020:4743 - Security Advisory

Synopsis

Moderate: squid:4 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

The following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467)

Security Fix(es):

  • squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520)
  • squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521)
  • squid: Improper input validation in URI processor (CVE-2019-12523)
  • squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524)
  • squid: Heap overflow issue in URN processing (CVE-2019-12526)
  • squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528)
  • squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529)
  • squid: Denial of service in cachemgr.cgi (CVE-2019-12854)
  • squid: Buffer overflow in URI processor (CVE-2019-18676)
  • squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677)
  • squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678)
  • squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)
  • squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860)
  • squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449)
  • squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450)
  • squid: DoS in TLS handshake (CVE-2020-14058)
  • squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049)
  • squid: Improper input validation could result in a DoS (CVE-2020-24606)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the squid service will be restarted automatically.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 1730523 - CVE-2019-12854 squid: Denial of service in cachemgr.cgi
  • BZ - 1730528 - CVE-2019-12529 squid: Out of bounds read in Proxy-Authorization header causes DoS
  • BZ - 1770349 - CVE-2019-18678 squid: HTTP Request Splitting issue in HTTP message processing
  • BZ - 1770356 - CVE-2019-12526 squid: Heap overflow issue in URN processing
  • BZ - 1770360 - CVE-2019-18679 squid: Information Disclosure issue in HTTP Digest Authentication
  • BZ - 1770365 - CVE-2019-18677 squid: Cross-Site Request Forgery issue in HTTP Request processing
  • BZ - 1770371 - CVE-2019-12523 squid: Improper input validation in URI processor
  • BZ - 1770375 - CVE-2019-18676 squid: Buffer overflow in URI processor
  • BZ - 1798534 - CVE-2019-12528 squid: Information Disclosure issue in FTP Gateway
  • BZ - 1798540 - CVE-2020-8449 squid: Improper input validation issues in HTTP Request processing
  • BZ - 1798552 - CVE-2020-8450 squid: Buffer overflow in reverse-proxy configurations
  • BZ - 1817121 - CVE-2019-18860 squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour
  • BZ - 1827558 - CVE-2019-12520 squid: Improper input validation in request allows for proxy manipulation
  • BZ - 1827562 - CVE-2019-12521 squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash
  • BZ - 1827570 - CVE-2019-12524 squid: Improper access restriction in url_regex may lead to security bypass
  • BZ - 1852550 - CVE-2020-15049 squid: Request smuggling and poisoning attack against the HTTP cache
  • BZ - 1852554 - CVE-2020-14058 squid: DoS in TLS handshake
  • BZ - 1871705 - CVE-2020-24606 squid: Improper input validation could result in a DoS

Red Hat Enterprise Linux for x86_64 8

SRPM
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm SHA-256: 2f43b6316609e9a09ecea6e01089d7d886d0024c1eae28f1c31d87670992f7ff
squid-4.11-3.module+el8.3.0+7851+7808b5f9.src.rpm SHA-256: ca32f72ab95f0ff2383c37822127b238dea8d1df230602eb9391cb8883e1bad1
x86_64
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: d9d61e2135b220b3d61ae42ef3168afe872f28e6ba90ec1e7c12f99ee0cd09bf
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: fcf34d948d19d8ceec11c33bfbd410918882c1e2d5f98d317d47f40935a8beca
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: 3a323f9bd1ce4c4fdba3eed2f8c5ab67ef86553708394d3ef6c55c579d339c60
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: 1b13a8613f81f5551073df17797db405c70acc0e332bbc915d50459e2e7f4530
squid-4.11-3.module+el8.3.0+7851+7808b5f9.x86_64.rpm SHA-256: a0ab64cb568455ce33012319e554a220fb45022a409f6e2ca8148a4ba17d98cf
squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.x86_64.rpm SHA-256: a319e623c5bc7ad8d19e264de3882457a5f08bc9b3cebd42a33059e5dd0176d4
squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.x86_64.rpm SHA-256: 395f8d1e86b8789952e1dc4c09324af405515c9c9e9d71c2a8348b076881b825

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm SHA-256: 2f43b6316609e9a09ecea6e01089d7d886d0024c1eae28f1c31d87670992f7ff
squid-4.11-3.module+el8.3.0+7851+7808b5f9.src.rpm SHA-256: ca32f72ab95f0ff2383c37822127b238dea8d1df230602eb9391cb8883e1bad1
s390x
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm SHA-256: 11155457578ba82d131c38520ef1e704de6c8b532b17ccfcdb0feb647158d7d5
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm SHA-256: c9809c43b34e764d8904dc2b31a213fe0dc49208feabcacd8106caef9d24b507
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm SHA-256: 4c5372dcfd4429ace80a62242882c6dfbf39a9eef2c8b84c2aa2b7292b24ce68
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm SHA-256: 7c3257862efc0e7f5a93f35535fb2292ca7a11342ff72e3f03d5a934a86821f3
squid-4.11-3.module+el8.3.0+7851+7808b5f9.s390x.rpm SHA-256: f8d6659f476714eadf91911df87fef9b0c80241a9213f5c44176e1fac263e11d
squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.s390x.rpm SHA-256: 0eeb8d414edef7bebfdfaa0d5d7634082bb28fab69676cab55371a0143646fc4
squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.s390x.rpm SHA-256: b589b8517bfc8e6a3192df4732a8ddf21c293aea7fb06e5ab3d099d608af896e

Red Hat Enterprise Linux for Power, little endian 8

SRPM
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm SHA-256: 2f43b6316609e9a09ecea6e01089d7d886d0024c1eae28f1c31d87670992f7ff
squid-4.11-3.module+el8.3.0+7851+7808b5f9.src.rpm SHA-256: ca32f72ab95f0ff2383c37822127b238dea8d1df230602eb9391cb8883e1bad1
ppc64le
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm SHA-256: 1ba6e6a7a7f64c91b5f49112a2d3437e5a4156c04cb2664d9f06985ffd631fac
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm SHA-256: 2ef0dadb839911f6fb556005df57f2531f2dd215e8bd7dceb39370910050c6a4
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm SHA-256: 1cd7655a19f36b9eaf1cc95fd3e85d2f3cfa1a76e9206ca639fb16f14634f3dd
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm SHA-256: 2d8756169558e12e281f18a9da93cc49c525ef908c8f2533f81e3a98b22d1e68
squid-4.11-3.module+el8.3.0+7851+7808b5f9.ppc64le.rpm SHA-256: a9ef08f4f89a64000fc35fb5429b25d66612b85a88a841128b5be469d95f55bc
squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.ppc64le.rpm SHA-256: 2d804805ec9e2f6cf043e9e6592c4ac13839e5b4cf7f24e7d0f8042411a08617
squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.ppc64le.rpm SHA-256: 83747e05b089c37489b93d02c2460bcc9af0f5c2cc19d650479176141494d31d

Red Hat Enterprise Linux for ARM 64 8

SRPM
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm SHA-256: 2f43b6316609e9a09ecea6e01089d7d886d0024c1eae28f1c31d87670992f7ff
squid-4.11-3.module+el8.3.0+7851+7808b5f9.src.rpm SHA-256: ca32f72ab95f0ff2383c37822127b238dea8d1df230602eb9391cb8883e1bad1
aarch64
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm SHA-256: 31c61fd165ea82f7e30b0b4f8e9f9fd6a5eae832149c81c14fd706f902fed84a
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm SHA-256: 450f2a9aa696793f5c1ffb9e62a89bb182e442404b5915306060cd696dbc71e2
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm SHA-256: 835ebb3c576f9b1c5ece2e8b3a5a44c0a87f57b3df4fe793c8d7984953397d63
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm SHA-256: 3313cc4f037084e4f913b10b252a7750d6a5a282930643ad92982e3d1330893a
squid-4.11-3.module+el8.3.0+7851+7808b5f9.aarch64.rpm SHA-256: dac3a02b25db9bf1398647deb793bd11f67032188261d8673123263b128bc4a7
squid-debuginfo-4.11-3.module+el8.3.0+7851+7808b5f9.aarch64.rpm SHA-256: 89e609aa6813ccaed292a4fe0a481ccdedeb9e20e9012e6eb87cb00dcb00df9e
squid-debugsource-4.11-3.module+el8.3.0+7851+7808b5f9.aarch64.rpm SHA-256: 6318f16e61a1ce8b6b1418470b8868500012f43c063f407c4632000c793b3992

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.