Security update for squid SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:2089-1 Final 1 1 2019-08-08T09:51:19Z current 2019-08-08T09:51:19Z 2019-08-08T09:51:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: Security issue fixed: - CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329). - CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332). - CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-2089,SUSE-OpenStack-Cloud-7-2019-2089,SUSE-OpenStack-Cloud-8-2019-2089,SUSE-SLE-SAP-12-SP2-2019-2089,SUSE-SLE-SAP-12-SP3-2019-2089,SUSE-SLE-SERVER-12-SP2-2019-2089,SUSE-SLE-SERVER-12-SP2-BCL-2019-2089,SUSE-SLE-SERVER-12-SP3-2019-2089,SUSE-SLE-SERVER-12-SP3-BCL-2019-2089,SUSE-SLE-SERVER-12-SP4-2019-2089,SUSE-Storage-4-2019-2089,SUSE-Storage-5-2019-2089 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20192089-1/ Link for SUSE-SU-2019:2089-1 https://lists.suse.com/pipermail/sle-security-updates/2019-August/005801.html E-Mail link for SUSE-SU-2019:2089-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1140738 SUSE Bug 1140738 https://bugzilla.suse.com/1141329 SUSE Bug 1141329 https://bugzilla.suse.com/1141332 SUSE Bug 1141332 https://www.suse.com/security/cve/CVE-2019-12525/ SUSE CVE CVE-2019-12525 page https://www.suse.com/security/cve/CVE-2019-12529/ SUSE CVE CVE-2019-12529 page https://www.suse.com/security/cve/CVE-2019-13345/ SUSE CVE CVE-2019-13345 page SUSE Enterprise Storage 4 SUSE Enterprise Storage 5 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 squid-3.5.21-26.17.1 squid-3.5.21-26.17.1 as a component of SUSE Enterprise Storage 4 squid-3.5.21-26.17.1 as a component of SUSE Enterprise Storage 5 squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server 12 SP2-LTSS squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server 12 SP3-LTSS squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server 12 SP4 squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 squid-3.5.21-26.17.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 squid-3.5.21-26.17.1 as a component of SUSE OpenStack Cloud 7 squid-3.5.21-26.17.1 as a component of SUSE OpenStack Cloud 8 An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1. CVE-2019-12525 SUSE Enterprise Storage 4:squid-3.5.21-26.17.1 SUSE Enterprise Storage 5:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP2-BCL:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP2-LTSS:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP3-BCL:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP3-LTSS:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP4:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:squid-3.5.21-26.17.1 SUSE OpenStack Cloud 7:squid-3.5.21-26.17.1 SUSE OpenStack Cloud 8:squid-3.5.21-26.17.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192089-1/ https://www.suse.com/security/cve/CVE-2019-12525.html CVE-2019-12525 https://bugzilla.suse.com/1141332 SUSE Bug 1141332 An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages. CVE-2019-12529 SUSE Enterprise Storage 4:squid-3.5.21-26.17.1 SUSE Enterprise Storage 5:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP2-BCL:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP2-LTSS:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP3-BCL:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP3-LTSS:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP4:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:squid-3.5.21-26.17.1 SUSE OpenStack Cloud 7:squid-3.5.21-26.17.1 SUSE OpenStack Cloud 8:squid-3.5.21-26.17.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192089-1/ https://www.suse.com/security/cve/CVE-2019-12529.html CVE-2019-12529 https://bugzilla.suse.com/1141329 SUSE Bug 1141329 The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter. CVE-2019-13345 SUSE Enterprise Storage 4:squid-3.5.21-26.17.1 SUSE Enterprise Storage 5:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP2-BCL:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP2-LTSS:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP3-BCL:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP3-LTSS:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server 12 SP4:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:squid-3.5.21-26.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:squid-3.5.21-26.17.1 SUSE OpenStack Cloud 7:squid-3.5.21-26.17.1 SUSE OpenStack Cloud 8:squid-3.5.21-26.17.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192089-1/ https://www.suse.com/security/cve/CVE-2019-13345.html CVE-2019-13345 https://bugzilla.suse.com/1140738 SUSE Bug 1140738