CVE-2019-18676

Published: 26 November 2019

An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
squid
Launchpad, Ubuntu, Debian
Upstream
Released (4.9-1)
Ubuntu 20.10 (Groovy Gorilla)
Released (4.9-2ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.9-2ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch
squid3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.5.27-1ubuntu1.7)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.5.12-1ubuntu7.12)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
mdeslaur
same fix as CVE-2019-12523
This was fixed in 4.x by rewriting the URI parser to use SBuf.
fixed in Debian's 3.5.23-5+deb9u2

References