Security update for squid SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3533-1 Final 1 1 2022-10-06T07:22:33Z current 2022-10-06T07:22:33Z 2022-10-06T07:22:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: - CVE-2022-41317: Fixed exposure of sensitive information in cache manager (bsc#1203677). - CVE-2022-41318: Fixed buffer overread in SSPI and SMB Authentication (bsc#1203680). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3533,SUSE-OpenStack-Cloud-9-2022-3533,SUSE-OpenStack-Cloud-Crowbar-9-2022-3533,SUSE-SLE-SAP-12-SP4-2022-3533,SUSE-SLE-SERVER-12-SP2-BCL-2022-3533,SUSE-SLE-SERVER-12-SP3-BCL-2022-3533,SUSE-SLE-SERVER-12-SP4-LTSS-2022-3533 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223533-1/ Link for SUSE-SU-2022:3533-1 https://lists.suse.com/pipermail/sle-security-updates/2022-October/012502.html E-Mail link for SUSE-SU-2022:3533-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203677 SUSE Bug 1203677 https://bugzilla.suse.com/1203680 SUSE Bug 1203680 https://www.suse.com/security/cve/CVE-2022-41317/ SUSE CVE CVE-2022-41317 page https://www.suse.com/security/cve/CVE-2022-41318/ SUSE CVE CVE-2022-41318 page SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 squid-3.5.21-26.38.1 squid-3.5.21-26.38.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL squid-3.5.21-26.38.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL squid-3.5.21-26.38.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS squid-3.5.21-26.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 squid-3.5.21-26.38.1 as a component of SUSE OpenStack Cloud 9 squid-3.5.21-26.38.1 as a component of SUSE OpenStack Cloud Crowbar 9 An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7. CVE-2022-41317 SUSE Linux Enterprise Server 12 SP2-BCL:squid-3.5.21-26.38.1 SUSE Linux Enterprise Server 12 SP3-BCL:squid-3.5.21-26.38.1 SUSE Linux Enterprise Server 12 SP4-LTSS:squid-3.5.21-26.38.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:squid-3.5.21-26.38.1 SUSE OpenStack Cloud 9:squid-3.5.21-26.38.1 SUSE OpenStack Cloud Crowbar 9:squid-3.5.21-26.38.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223533-1/ https://www.suse.com/security/cve/CVE-2022-41317.html CVE-2022-41317 https://bugzilla.suse.com/1203677 SUSE Bug 1203677 A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7. CVE-2022-41318 SUSE Linux Enterprise Server 12 SP2-BCL:squid-3.5.21-26.38.1 SUSE Linux Enterprise Server 12 SP3-BCL:squid-3.5.21-26.38.1 SUSE Linux Enterprise Server 12 SP4-LTSS:squid-3.5.21-26.38.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:squid-3.5.21-26.38.1 SUSE OpenStack Cloud 9:squid-3.5.21-26.38.1 SUSE OpenStack Cloud Crowbar 9:squid-3.5.21-26.38.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223533-1/ https://www.suse.com/security/cve/CVE-2022-41318.html CVE-2022-41318 https://bugzilla.suse.com/1203680 SUSE Bug 1203680