CVE-2019-18676

Published: 26 November 2019

An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
squid
Launchpad, Ubuntu, Debian
Upstream
Released (4.9-1)
Ubuntu 21.04 (Hirsute Hippo)
Released (4.9-2ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (4.9-2ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.9-2ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch
squid3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.5.27-1ubuntu1.7)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.12-1ubuntu7.12)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
mdeslaur
same fix as CVE-2019-12523
This was fixed in 4.x by rewriting the URI parser to use SBuf.
fixed in Debian's 3.5.23-5+deb9u2

References