Security update for squid SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1346-1 Final 1 1 2020-09-05T12:23:36Z current 2020-09-05T12:23:36Z 2020-09-05T12:23:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: squid was updated to version 4.13: - CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671). - CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665). - CVE-2020-15810: Enforce token characters for field-name (bsc#1175664). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1346 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/ E-Mail link for openSUSE-SU-2020:1346-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173455 SUSE Bug 1173455 https://bugzilla.suse.com/1175664 SUSE Bug 1175664 https://bugzilla.suse.com/1175665 SUSE Bug 1175665 https://bugzilla.suse.com/1175671 SUSE Bug 1175671 https://www.suse.com/security/cve/CVE-2020-15049/ SUSE CVE CVE-2020-15049 page https://www.suse.com/security/cve/CVE-2020-15810/ SUSE CVE CVE-2020-15810 page https://www.suse.com/security/cve/CVE-2020-15811/ SUSE CVE CVE-2020-15811 page https://www.suse.com/security/cve/CVE-2020-24606/ SUSE CVE CVE-2020-24606 page openSUSE Leap 15.1 squid-4.13-lp151.2.24.1 squid-4.13-lp151.2.24.1 as a component of openSUSE Leap 15.1 An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value. CVE-2020-15049 openSUSE Leap 15.1:squid-4.13-lp151.2.24.1 important 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/ https://www.suse.com/security/cve/CVE-2020-15049.html CVE-2020-15049 https://bugzilla.suse.com/1173455 SUSE Bug 1173455 https://bugzilla.suse.com/1174381 SUSE Bug 1174381 An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream. CVE-2020-15810 openSUSE Leap 15.1:squid-4.13-lp151.2.24.1 critical 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/ https://www.suse.com/security/cve/CVE-2020-15810.html CVE-2020-15810 https://bugzilla.suse.com/1175664 SUSE Bug 1175664 An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches. CVE-2020-15811 openSUSE Leap 15.1:squid-4.13-lp151.2.24.1 critical 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/ https://www.suse.com/security/cve/CVE-2020-15811.html CVE-2020-15811 https://bugzilla.suse.com/1175665 SUSE Bug 1175665 Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF. CVE-2020-24606 openSUSE Leap 15.1:squid-4.13-lp151.2.24.1 important 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/ https://www.suse.com/security/cve/CVE-2020-24606.html CVE-2020-24606 https://bugzilla.suse.com/1175671 SUSE Bug 1175671