Vulnerability-Lookup

CVE-2019-18676 (GCVE-0-2019-18676)

Vulnerability from cvelistv5 – Published: 2019-11-26 16:23 – Updated: 2024-08-05 01:54

Summary

An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

CNVD-2019-42425

Vulnerability from cnvd - Published: 2019-11-27

Title

Squid URI processor缓冲区溢出漏洞

Description

Squid是一套代理服务器和Web缓存服务器软件。该软件提供缓存万维网、过滤流量、代理上网等功能。URI processor是其中的一个URI（统一资源标识符）处理器。 Squid中的URI processor存在缓冲区溢出漏洞，该漏洞源于网络系统或产品在内存上执行操作时，未正确验证数据边界，导致向关联的其他内存位置上执行了错误的读写操作，攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。

Severity

中

Patch Name

Squid URI processor缓冲区溢出漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Reference

https://www.auscert.org.au/bulletins/ESB-2019.4232/

Impacted products

Name
['Squid Squid 4.，<=4.8', 'Squid Squid 3.，<=3.5.28']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-18676"
    }
  },
  "description": "Squid\u662f\u4e00\u5957\u4ee3\u7406\u670d\u52a1\u5668\u548cWeb\u7f13\u5b58\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u7f13\u5b58\u4e07\u7ef4\u7f51\u3001\u8fc7\u6ee4\u6d41\u91cf\u3001\u4ee3\u7406\u4e0a\u7f51\u7b49\u529f\u80fd\u3002URI processor\u662f\u5176\u4e2d\u7684\u4e00\u4e2aURI\uff08\u7edf\u4e00\u8d44\u6e90\u6807\u8bc6\u7b26\uff09\u5904\u7406\u5668\u3002\n\nSquid\u4e2d\u7684URI processor\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u5185\u5b58\u4e0a\u6267\u884c\u64cd\u4f5c\u65f6\uff0c\u672a\u6b63\u786e\u9a8c\u8bc1\u6570\u636e\u8fb9\u754c\uff0c\u5bfc\u81f4\u5411\u5173\u8054\u7684\u5176\u4ed6\u5185\u5b58\u4f4d\u7f6e\u4e0a\u6267\u884c\u4e86\u9519\u8bef\u7684\u8bfb\u5199\u64cd\u4f5c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7f13\u51b2\u533a\u6ea2\u51fa\u6216\u5806\u6ea2\u51fa\u7b49\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://www.squid-cache.org/Advisories/SQUID-2019_8.txt",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-42425",
  "openTime": "2019-11-27",
  "patchDescription": "Squid\u662f\u4e00\u5957\u4ee3\u7406\u670d\u52a1\u5668\u548cWeb\u7f13\u5b58\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u7f13\u5b58\u4e07\u7ef4\u7f51\u3001\u8fc7\u6ee4\u6d41\u91cf\u3001\u4ee3\u7406\u4e0a\u7f51\u7b49\u529f\u80fd\u3002URI processor\u662f\u5176\u4e2d\u7684\u4e00\u4e2aURI\uff08\u7edf\u4e00\u8d44\u6e90\u6807\u8bc6\u7b26\uff09\u5904\u7406\u5668\u3002\r\n\r\nSquid\u4e2d\u7684URI processor\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u5185\u5b58\u4e0a\u6267\u884c\u64cd\u4f5c\u65f6\uff0c\u672a\u6b63\u786e\u9a8c\u8bc1\u6570\u636e\u8fb9\u754c\uff0c\u5bfc\u81f4\u5411\u5173\u8054\u7684\u5176\u4ed6\u5185\u5b58\u4f4d\u7f6e\u4e0a\u6267\u884c\u4e86\u9519\u8bef\u7684\u8bfb\u5199\u64cd\u4f5c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7f13\u51b2\u533a\u6ea2\u51fa\u6216\u5806\u6ea2\u51fa\u7b49\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Squid URI processor\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Squid Squid 4.*\uff0c\u003c=4.8",
      "Squid Squid 3.*\uff0c\u003c=3.5.28"
    ]
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2019.4232/",
  "serverity": "\u4e2d",
  "submitTime": "2019-11-13",
  "title": "Squid URI processor\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CERTFR-2019-AVI-552

Vulnerability from certfr_avis - Published: 2019-11-12 - Updated: 2019-11-12

De multiples vulnérabilités ont été découvertes dans Squid. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Squid	Squid	Squid versions 2.x
Squid	Squid	Squid versions 3.x
Squid	Squid	Squid versions 4.x antérieures à 4.9

References

Title

Publication Time

GHSA-CHW7-JM99-CHW8

Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2023-03-03 15:30

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-18676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-26T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.",
  "id": "GHSA-chw7-jm99-chw8",
  "modified": "2023-03-03T15:30:24Z",
  "published": "2022-05-24T17:02:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/squid-cache/squid/pull/275"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4213-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4446-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4682"
    },
    {
      "type": "WEB",
      "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2019-18676

Vulnerability from fstec - Published: 26.11.2019

Title

Уязвимость прокси-сервера Squid, связанная с записью за границами буфера, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость прокси-сервера Squid вызвана переполнением буфера в динамической памяти. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании с помощью специально созданной схемы URI

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor

Canonical Ltd., Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», Novell Inc., Fedora Project, Squid Software Foundation, АО «ИВК», АО «Концерн ВНИИНС»

Software Name

Ubuntu, Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), SUSE Linux Enterprise Server for SAP Applications, SUSE OpenStack Cloud, Suse Linux Enterprise Server, Astra Linux Common Edition (запись в едином реестре российских программ №4433), OpenSUSE Leap, SUSE Enterprise Storage, SUSE Linux Enterprise Point of Sale, Fedora, SUSE Linux Enterprise Module for Server Applications, HPE Helion Openstack, Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), Squid, Альт 8 СП (запись в едином реестре российских программ №4305), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

16.04 LTS (Ubuntu), 9 (Debian GNU/Linux), 18.04 LTS (Ubuntu), 1.6 «Смоленск» (Astra Linux Special Edition), 12 SP2 (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-BCL (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-ESPOS (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-LTSS (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 7 (SUSE OpenStack Cloud), 12 SP4 (Suse Linux Enterprise Server), 19.04 (Ubuntu), 2.12 «Орёл» (Astra Linux Common Edition), 15.0 (OpenSUSE Leap), 5 (SUSE Enterprise Storage), 12 SP2-CLIENT (SUSE Linux Enterprise Point of Sale), 12 SP2-BCL (Suse Linux Enterprise Server), 12 SP2-ESPOS (Suse Linux Enterprise Server), 15.1 (OpenSUSE Leap), 12 SP2-LTSS (Suse Linux Enterprise Server), 30 (Fedora), 12 SP3-LTSS (Suse Linux Enterprise Server), 15 SP1 (SUSE Linux Enterprise Module for Server Applications), 15 (SUSE Linux Enterprise Module for Server Applications), 8 (SUSE OpenStack Cloud), 12 SP3-BCL (Suse Linux Enterprise Server), 12 SP5 (Suse Linux Enterprise Server), 12 SP3-BCL (SUSE Linux Enterprise Server for SAP Applications), 12 SP3-LTSS (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 8 (Debian GNU/Linux), Crowbar 8 (SUSE OpenStack Cloud), 10 (Debian GNU/Linux), 31 (Fedora), 8 (HPE Helion Openstack), 12 SP3-ESPOS (Suse Linux Enterprise Server), 12 SP3-ESPOS (SUSE Linux Enterprise Server for SAP Applications), 19.10 (Ubuntu), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), от 3.0 до 3.5.28 включительно (Squid), от 4.0 до 4.8 включительно (Squid), - (Альт 8 СП), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

Использование рекомендаций: Для Squid: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt https://github.com/squid-cache/squid/pull/275 Для Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ Для Ubuntu: https://usn.ubuntu.com/4213-1/ Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2019-18676/ Для Astra Linux: Обновление программного обеспечения (пакета squid) до 4.6-1+deb10u2 или более поздней версии Использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16 https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81 Для Debian: Использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2019-18676 Для ОС ОН «Стрелец»: Обновление программного обеспечения squid3 до версии 3.5.23-5+deb9u7 Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства

Reference

http://www.squid-cache.org/Advisories/SQUID-2019_8.txt http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch https://github.com/squid-cache/squid/pull/275 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ https://nvd.nist.gov/vuln/detail/CVE-2019-18676 https://security-tracker.debian.org/tracker/CVE-2019-18676 https://usn.ubuntu.com/4213-1/ https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210611SE16 https://www.suse.com/security/cve/CVE-2019-18676/ https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81 https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023 https://altsp.su/obnovleniya-bezopasnosti/

CWE

CWE-20, CWE-787

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Canonical Ltd., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Novell Inc., Fedora Project, Squid Software Foundation, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "16.04 LTS (Ubuntu), 9 (Debian GNU/Linux), 18.04 LTS (Ubuntu), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 12 SP2 (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-BCL (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-ESPOS (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-LTSS (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 7 (SUSE OpenStack Cloud), 12 SP4 (Suse Linux Enterprise Server), 19.04 (Ubuntu), 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (Astra Linux Common Edition), 15.0 (OpenSUSE Leap), 5 (SUSE Enterprise Storage), 12 SP2-CLIENT (SUSE Linux Enterprise Point of Sale), 12 SP2-BCL (Suse Linux Enterprise Server), 12 SP2-ESPOS (Suse Linux Enterprise Server), 15.1 (OpenSUSE Leap), 12 SP2-LTSS (Suse Linux Enterprise Server), 30 (Fedora), 12 SP3-LTSS (Suse Linux Enterprise Server), 15 SP1 (SUSE Linux Enterprise Module for Server Applications), 15 (SUSE Linux Enterprise Module for Server Applications), 8 (SUSE OpenStack Cloud), 12 SP3-BCL (Suse Linux Enterprise Server), 12 SP5 (Suse Linux Enterprise Server), 12 SP3-BCL (SUSE Linux Enterprise Server for SAP Applications), 12 SP3-LTSS (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 8 (Debian GNU/Linux), Crowbar 8 (SUSE OpenStack Cloud), 10 (Debian GNU/Linux), 31 (Fedora), 8 (HPE Helion Openstack), 12 SP3-ESPOS (Suse Linux Enterprise Server), 12 SP3-ESPOS (SUSE Linux Enterprise Server for SAP Applications), 19.10 (Ubuntu), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), \u043e\u0442 3.0 \u0434\u043e 3.5.28 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Squid), \u043e\u0442 4.0 \u0434\u043e 4.8 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Squid), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Squid:\nhttp://www.squid-cache.org/Advisories/SQUID-2019_8.txt\nhttps://github.com/squid-cache/squid/pull/275\n\n\u0414\u043b\u044f Fedora:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/\n\n\u0414\u043b\u044f Ubuntu:\nhttps://usn.ubuntu.com/4213-1/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.: \nhttps://www.suse.com/security/cve/CVE-2019-18676/\n\n\u0414\u043b\u044f Astra Linux:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 squid) \u0434\u043e 4.6-1+deb10u2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81\n\n\u0414\u043b\u044f Debian:\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://security-tracker.debian.org/tracker/CVE-2019-18676\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f squid3 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 3.5.23-5+deb9u7\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "26.11.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "16.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "29.04.2020",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-01857",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-18676",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Ubuntu, Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), SUSE Linux Enterprise Server for SAP Applications, SUSE OpenStack Cloud, Suse Linux Enterprise Server, Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), OpenSUSE Leap, SUSE Enterprise Storage, SUSE Linux Enterprise Point of Sale, Fedora, SUSE Linux Enterprise Module for Server Applications, HPE Helion Openstack, Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), Squid, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Canonical Ltd. Ubuntu 16.04 LTS 32-bit, Canonical Ltd. Ubuntu 16.04 LTS , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , Canonical Ltd. Ubuntu 18.04 LTS , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2-BCL , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2-ESPOS , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2-LTSS , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4 , Novell Inc. Suse Linux Enterprise Server 12 SP4 , Canonical Ltd. Ubuntu 19.04 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Novell Inc. OpenSUSE Leap 15.0 32-bit, Novell Inc. OpenSUSE Leap 15.0 , Novell Inc. Suse Linux Enterprise Server 12 SP2-BCL , Novell Inc. Suse Linux Enterprise Server 12 SP2-ESPOS , Novell Inc. OpenSUSE Leap 15.1 , Novell Inc. Suse Linux Enterprise Server 12 SP2-LTSS , Fedora Project Fedora 30 , Novell Inc. Suse Linux Enterprise Server 12 SP3-LTSS , Novell Inc. Suse Linux Enterprise Server 12 SP3-BCL , Novell Inc. Suse Linux Enterprise Server 12 SP5 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3-BCL , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3-LTSS , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Fedora Project Fedora 31 , Novell Inc. Suse Linux Enterprise Server 12 SP3-ESPOS , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3-ESPOS , Canonical Ltd. Ubuntu 19.10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f -  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Squid, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0437\u0430\u043f\u0438\u0441\u044c\u044e \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u0431\u0443\u0444\u0435\u0440\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20), \u0417\u0430\u043f\u0438\u0441\u044c \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u0431\u0443\u0444\u0435\u0440\u0430 (CWE-787)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Squid \u0432\u044b\u0437\u0432\u0430\u043d\u0430 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\u043c \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0439 \u0441\u0445\u0435\u043c\u044b URI",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt\nhttp://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch\nhttps://github.com/squid-cache/squid/pull/275\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18676\nhttps://security-tracker.debian.org/tracker/CVE-2019-18676\nhttps://usn.ubuntu.com/4213-1/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20210611SE16\nhttps://www.suse.com/security/cve/CVE-2019-18676/\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://altsp.su/obnovleniya-bezopasnosti/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20, CWE-787",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

cve-2019-18676

Vulnerability from osv_almalinux

Published

2020-11-03 12:32

Modified

2020-11-03 19:54

Summary

Moderate: squid:4 security, bug fix, and enhancement update

Details

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

The following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467)

Security Fix(es):

squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520)
squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521)
squid: Improper input validation in URI processor (CVE-2019-12523)
squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524)
squid: Heap overflow issue in URN processing (CVE-2019-12526)
squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528)
squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529)
squid: Denial of service in cachemgr.cgi (CVE-2019-12854)
squid: Buffer overflow in URI processor (CVE-2019-18676)
squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677)
squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678)
squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)
squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860)
squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449)
squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450)
squid: DoS in TLS handshake (CVE-2020-14058)
squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049)
squid: Improper input validation could result in a DoS (CVE-2020-24606)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "libecap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1-2.module_el8.6.0+2741+01592ae8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "libecap-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1-2.module_el8.6.0+2741+01592ae8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.\n\nThe following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467)\n\nSecurity Fix(es):\n\n* squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520)\n\n* squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521)\n\n* squid: Improper input validation in URI processor (CVE-2019-12523)\n\n* squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524)\n\n* squid: Heap overflow issue in URN processing (CVE-2019-12526)\n\n* squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528)\n\n* squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529)\n\n* squid: Denial of service in cachemgr.cgi (CVE-2019-12854)\n\n* squid: Buffer overflow in URI processor (CVE-2019-18676)\n\n* squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677)\n\n* squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678)\n\n* squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)\n\n* squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860)\n\n* squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449)\n\n* squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450)\n\n* squid: DoS in TLS handshake (CVE-2020-14058)\n\n* squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049)\n\n* squid: Improper input validation could result in a DoS (CVE-2020-24606)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2020:4743",
  "modified": "2020-11-03T19:54:15Z",
  "published": "2020-11-03T12:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2020-4743.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12520"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12521"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12523"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12524"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12526"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12528"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12529"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12854"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18676"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18677"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18678"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18679"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18860"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-14058"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-15049"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-24606"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8449"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8450"
    }
  ],
  "related": [
    "CVE-2019-12520",
    "CVE-2019-12521",
    "CVE-2019-12523",
    "CVE-2019-12524",
    "CVE-2019-12526",
    "CVE-2019-12528",
    "CVE-2019-12529",
    "CVE-2019-12854",
    "CVE-2019-18676",
    "CVE-2019-18677",
    "CVE-2019-18678",
    "CVE-2019-18679",
    "CVE-2019-18860",
    "CVE-2020-8449",
    "CVE-2020-8450",
    "CVE-2020-14058",
    "CVE-2020-15049",
    "CVE-2020-24606"
  ],
  "summary": "Moderate: squid:4 security, bug fix, and enhancement update"
}

GSD-2019-18676

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-18676

Aliases

CVE-2019-18676

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-18676",
    "description": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.",
    "id": "GSD-2019-18676",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-18676.html",
      "https://www.debian.org/security/2020/dsa-4682",
      "https://access.redhat.com/errata/RHSA-2020:4743",
      "https://ubuntu.com/security/CVE-2019-18676",
      "https://advisories.mageia.org/CVE-2019-18676.html",
      "https://linux.oracle.com/cve/CVE-2019-18676.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-18676"
      ],
      "details": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.",
      "id": "GSD-2019-18676",
      "modified": "2023-12-13T01:23:50.318391Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-18676",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/squid-cache/squid/pull/275",
            "refsource": "MISC",
            "url": "https://github.com/squid-cache/squid/pull/275"
          },
          {
            "name": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt",
            "refsource": "CONFIRM",
            "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
          },
          {
            "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156329",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
          },
          {
            "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch",
            "refsource": "CONFIRM",
            "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch"
          },
          {
            "name": "USN-4213-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/4213-1/"
          },
          {
            "name": "FEDORA-2019-0b16cbdd0e",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
          },
          {
            "name": "FEDORA-2019-9538783033",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
          },
          {
            "name": "DSA-4682",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2020/dsa-4682"
          },
          {
            "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
          },
          {
            "name": "USN-4446-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/4446-1/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.5.28",
                "versionStartIncluding": "3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "4.8",
                "versionStartIncluding": "4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-18676"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-787"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156329",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
            },
            {
              "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch"
            },
            {
              "name": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
            },
            {
              "name": "https://github.com/squid-cache/squid/pull/275",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/squid-cache/squid/pull/275"
            },
            {
              "name": "USN-4213-1",
              "refsource": "UBUNTU",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://usn.ubuntu.com/4213-1/"
            },
            {
              "name": "FEDORA-2019-0b16cbdd0e",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
            },
            {
              "name": "FEDORA-2019-9538783033",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
            },
            {
              "name": "DSA-4682",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4682"
            },
            {
              "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
            },
            {
              "name": "USN-4446-1",
              "refsource": "UBUNTU",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://usn.ubuntu.com/4446-1/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-03-03T14:27Z",
      "publishedDate": "2019-11-26T17:15Z"
    }
  }
}

FKIE_CVE-2019-18676

Vulnerability from fkie_nvd - Published: 2019-11-26 17:15 - Updated: 2024-11-21 04:33

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.squid-cache.org/Advisories/SQUID-2019_8.txt	Third Party Advisory
cve@mitre.org	http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch	Patch
cve@mitre.org	https://bugzilla.suse.com/show_bug.cgi?id=1156329	Issue Tracking, Third Party Advisory
cve@mitre.org	https://github.com/squid-cache/squid/pull/275	Patch, Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
cve@mitre.org	https://usn.ubuntu.com/4213-1/	Third Party Advisory
cve@mitre.org	https://usn.ubuntu.com/4446-1/	Third Party Advisory
cve@mitre.org	https://www.debian.org/security/2020/dsa-4682	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.squid-cache.org/Advisories/SQUID-2019_8.txt	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch	Patch
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.suse.com/show_bug.cgi?id=1156329	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/squid-cache/squid/pull/275	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4213-1/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4446-1/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2020/dsa-4682	Third Party Advisory

Impacted products

Vendor	Product	Version
squid-cache	squid	*
squid-cache	squid	*
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	19.04
canonical	ubuntu_linux	19.10
fedoraproject	fedora	30
fedoraproject	fedora	31
debian	debian_linux	9.0
debian	debian_linux	10.0
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC9F2659-B37B-4E7B-AE40-B91BF3CE4E88",
              "versionEndIncluding": "3.5.28",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A278895E-7005-4F4B-8649-A013F60E33D4",
              "versionEndIncluding": "4.8",
              "versionStartIncluding": "4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
              "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
              "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Squid versiones 2.x, 3.x y versiones 4.x hasta 4.8. Debido a una comprobaci\u00f3n de entrada incorrecta, hay  un desbordamiento del b\u00fafer en la regi\u00f3n heap de la memoria que puede resultar en una Denegaci\u00f3n de Servicio a todos los clientes que usan el proxy. La gravedad es alta debido a que esta vulnerabilidad ocurre antes de las comprobaciones de seguridad normales; cualquier cliente remoto que pueda alcanzar el puerto proxy puede realizar trivialmente el ataque por medio de un esquema de URI especialmente dise\u00f1ado."
    }
  ],
  "id": "CVE-2019-18676",
  "lastModified": "2024-11-21T04:33:30.657",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-11-26T17:15:12.843",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/squid-cache/squid/pull/275"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4213-1/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4446-1/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4682"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/squid-cache/squid/pull/275"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4213-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4446-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4682"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-18676 (GCVE-0-2019-18676)

CNVD-2019-42425

CERTFR-2019-AVI-552

Solution

GHSA-CHW7-JM99-CHW8

CVE-2019-18676

cve-2019-18676

Vulnerability from osv_almalinux

GSD-2019-18676

FKIE_CVE-2019-18676

Tags

Sightings

Nomenclature