Security update for squid SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3531-1 Final 1 1 2022-10-06T07:21:55Z current 2022-10-06T07:21:55Z 2022-10-06T07:21:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: Updated squid to version 5.7: - CVE-2022-41317: Fixed exposure of sensitive information in cache manager (bsc#1203677). - CVE-2022-41318: Fixed buffer overread in SSPI and SMB Authentication (bsc#1203680). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP4-Manager-Proxy-4-3-BYOS-2022-3531,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure-2022-3531,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2-2022-3531,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE-2022-3531,SUSE-2022-3531,SUSE-SLE-Module-Server-Applications-15-SP4-2022-3531,openSUSE-SLE-15.4-2022-3531 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223531-1/ Link for SUSE-SU-2022:3531-1 https://lists.suse.com/pipermail/sle-security-updates/2022-October/012509.html E-Mail link for SUSE-SU-2022:3531-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203677 SUSE Bug 1203677 https://bugzilla.suse.com/1203680 SUSE Bug 1203680 https://www.suse.com/security/cve/CVE-2022-41317/ SUSE CVE CVE-2022-41317 page https://www.suse.com/security/cve/CVE-2022-41318/ SUSE CVE CVE-2022-41318 page Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.4 squid-5.7-150400.3.6.1 squid-5.7-150400.3.6.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS squid-5.7-150400.3.6.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure squid-5.7-150400.3.6.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 squid-5.7-150400.3.6.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE squid-5.7-150400.3.6.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 squid-5.7-150400.3.6.1 as a component of openSUSE Leap 15.4 An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7. CVE-2022-41317 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:squid-5.7-150400.3.6.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:squid-5.7-150400.3.6.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:squid-5.7-150400.3.6.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:squid-5.7-150400.3.6.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:squid-5.7-150400.3.6.1 openSUSE Leap 15.4:squid-5.7-150400.3.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223531-1/ https://www.suse.com/security/cve/CVE-2022-41317.html CVE-2022-41317 https://bugzilla.suse.com/1203677 SUSE Bug 1203677 A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7. CVE-2022-41318 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:squid-5.7-150400.3.6.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:squid-5.7-150400.3.6.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:squid-5.7-150400.3.6.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:squid-5.7-150400.3.6.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:squid-5.7-150400.3.6.1 openSUSE Leap 15.4:squid-5.7-150400.3.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223531-1/ https://www.suse.com/security/cve/CVE-2022-41318.html CVE-2022-41318 https://bugzilla.suse.com/1203680 SUSE Bug 1203680