Sicherheit: Mehrere Probleme in Squid

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============0367325085077882888==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="ksFFIgc6WS5ixvLeQDx1SdXp10O53QN7Z"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--ksFFIgc6WS5ixvLeQDx1SdXp10O53QN7Z
Content-Type: multipart/mixed;
boundary="g6BQcK21exf6lISOS9vCO6590sHiVZodJ"

--g6BQcK21exf6lISOS9vCO6590sHiVZodJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-4446-1
August 03, 2020

squid3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Squid.

Software Description:
- squid3: Web proxy cache server

Details:

Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)

Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)

Jeriko One discovered that Squid incorrectly handled URL decoding. A remote
attacker could possibly use this issue to bypass certain rule checks.
(CVE-2019-12524)

Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled input validation. A remote attacker could use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2019-18676)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.7

Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.12

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4446-1
CVE-2019-12520, CVE-2019-12523, CVE-2019-12524, CVE-2019-18676

Package Information:
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.7
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.12

--g6BQcK21exf6lISOS9vCO6590sHiVZodJ--

--ksFFIgc6WS5ixvLeQDx1SdXp10O53QN7Z
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl8oKoMACgkQZWnYVadE
vpM+fw//eNARkHtIGSQXj2XrvuvjrEdkGoVx3gUldi9GgLmBr4HdbJgtzpXVaFsV
ciXmOcqFnFK8H5sIQA53VwhpGv71ONBiqEladAeJMvXltDYw+zBuvwFZ9V498ClA
UZotUh7sLZEcFyESOGrOkqHrKtL8RJVppcfNH17y6H19nAlLG5WNFh1wjprd8iOe
Ug4CKg0ec6+wOP4pVmuxT19CmGT5LGIi6ltpuf5oSmIVf+GexzTjDqHU+0r8us+l
CDAvPLxMxxvJiTJB+QQB+8jX+Kbw7SjEe1lI0M4eCD3N+/Q6cLcj6sqeCi7zoQ24
+EsSHx4i3Bd4ijM5HeRV5ubHe/nhT7Ckzn63/HKMToqsNVKjPdW9aGl7BcmxBXwJ
kZyP3bR3M/VAwruuj1+GwEqjHIKyqhV5ty7l9gRJAN7W3CKtus7tgplPLDscNQT+
2KXkgG8c0Jmi88dGW+9CO1bjBON0QWhxfI2Ucau+OSUTpXpAihxv3jGbXn4TVzeJ
uXyQF08Pw6ZcJluFHRMZik8WghUvta5LGmTAj9jvGHryqtJy0nisvhSMaIMxypzC
3v+IliK6p/jzdRh+rJXEaNWNaljAq2jEPgk9foToHfqt9ytv+JTQiMsF0KSnsaU/
9c82A9CVyG3VSUa8ccXYFTPMOMqU9U1AtfB1xZHNeTUTjVMBbwA=
=6UrN
-----END PGP SIGNATURE-----

--ksFFIgc6WS5ixvLeQDx1SdXp10O53QN7Z--

--===============0367325085077882888==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============0367325085077882888==--