__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2019:11 __________________________________________________________________ Advisory ID: SQUID-2019:11 Date: November 05, 2019 Summary: Information Disclosure issue in HTTP Digest Authentication. Affected versions: Squid 2.x -> 2.7.STABLE9 Squid 3.x -> 3.5.28 Squid 4.x -> 4.8 Fixed in version: Squid 4.9 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2019_11.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18679 __________________________________________________________________ Problem Description: Due to incorrect data management Squid is vulnerable to a information disclosure when processing HTTP Digest Authentication. __________________________________________________________________ Severity: Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 4.9. In addition, a patch addressing this problem for the stable releases can be found in our patch archives: Squid 4: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x up to and including 2.7.STABLE9 are vulnerable. All Squid-3.x up to and including 3.5.28 are vulnerable. All Squid-4.x up to and including 4.8 are vulnerable. __________________________________________________________________ Workarounds: Either; Remove 'auth_param digest ...' configuration settings from squid.conf. Or, Build Squid with --disable-auth-digest __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: This vulnerability was discovered and fixed by David Fifield. __________________________________________________________________ Revision history: 2019-08-05 06:15:36 UTC Initial Report 2019-10-20 18:59:08 UTC Patches Released 2019-11-04 13:43:22 UTC CVE Assignment __________________________________________________________________ END _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce