{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2018-1000027: fix NULL pointer dereference in\n clientFollowXForwardedForCheck for transactions without a client connection\n- CVE-2018-19131: fix XSS via X.509 certificate fields rendered unescaped in\n SSL error pages\n- CVE-2019-12520: prevent cache poisoning by suppressing URL userinfo from\n absolute URLs for non-FTP schemes\n- CVE-2019-12523: reject URIs with invalid scheme (non-alpha first char) and\n malformed URN NID\n- CVE-2019-12526: add Must() guard in URN response handling to prevent\n re-entry with zero-length buffer\n- CVE-2019-12528: fix FTP directory listing parser info leak from heap into\n HTTP responses\n- CVE-2019-12529: fix Basic auth uudecode out-of-bounds read/write via proper\n bounds checking\n- CVE-2019-13345: fix multiple XSS issues in cachemgr.cgi via rfc1738-escaping\n user_name and auth parameters\n- CVE-2019-18676: cap URI scheme length and reject malformed scheme prefixes\n to prevent buffer overflow in urlParse\n- CVE-2019-18677: prevent CSRF via append_domain truncation by rejecting\n oversized domain appends\n- CVE-2019-18678: reject HTTP headers with whitespace between field-name and\n colon per RFC 7230 to prevent request splitting\n- CVE-2019-18679: remove raw heap pointer from Digest nonce hash input to\n prevent information disclosure and ASLR bypass\n- CVE-2019-18860: fix cachemgr.cgi XSS/info-disclosure via hostname parameter\n validation", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/oraclelinux6els/advisories/2026/clsa-2026_1776879277.json" } ], "tracking": { "current_release_date": "2026-04-22T17:36:07Z", "generator": { "date": "2026-04-22T17:36:07Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1776879277", "initial_release_date": "2026-04-22T17:36:07Z", "revision_history": [ { "date": "2026-04-22T17:36:07Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "squid: Fix of 13 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux 6", "product": { "name": "Oracle Linux 6", "product_id": "Oracle-Linux-6", "product_identification_helper": { "cpe": "cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Oracle Linux" } ], "category": "vendor", "name": "Oracle Corporation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "squid-7:3.1.23-30.el6.tuxcare.els17.x86_64", "product": { "name": "squid-7:3.1.23-30.el6.tuxcare.els17.x86_64", "product_id": "squid-7:3.1.23-30.el6.tuxcare.els17.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/squid@3.1.23-30.el6.tuxcare.els17?arch=x86_64&epoch=7" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "squid-7:3.1.23-30.el6.tuxcare.els17.x86_64 as a component of Oracle Linux 6", "product_id": "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" }, "product_reference": "squid-7:3.1.23-30.el6.tuxcare.els17.x86_64", "relates_to_product_reference": "Oracle-Linux-6" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-12520", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12520" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/", "url": "http://www.squid-cache.org/Versions/v4/" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/", "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/commits/v4", "url": "https://github.com/squid-cache/squid/commits/v4" }, { "category": "external", "summary": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210205-0006/", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4446-1/", "url": "https://usn.ubuntu.com/4446-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2020-04-15T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2019-12523", "notes": [ { "category": "description", "text": "An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12523" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1156329", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4213-1/", "url": "https://usn.ubuntu.com/4213-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4446-1/", "url": "https://usn.ubuntu.com/4446-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2019-11-26T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2018-1000027", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2018-1000027" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2018_2.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_2.txt" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/129/files", "url": "https://github.com/squid-cache/squid/pull/129/files" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html" }, { "category": "external", "summary": "https://usn.ubuntu.com/3557-1/", "url": "https://usn.ubuntu.com/3557-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4059-2/", "url": "https://usn.ubuntu.com/4059-2/" }, { "category": "external", "summary": "https://www.debian.org/security/2018/dsa-4122", "url": "https://www.debian.org/security/2018/dsa-4122" } ], "release_date": "2018-02-09T23:29:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2019-18678", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-18678" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2019_10.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_10.txt" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1156323", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156323" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/445", "url": "https://github.com/squid-cache/squid/pull/445" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202003-34", "url": "https://security.gentoo.org/glsa/202003-34" }, { "category": "external", "summary": "https://usn.ubuntu.com/4213-1/", "url": "https://usn.ubuntu.com/4213-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2019-11-26T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2019-13345", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-13345" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/109095", "url": "http://www.securityfocus.com/bid/109095" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:3476", "url": "https://access.redhat.com/errata/RHSA-2019:3476" }, { "category": "external", "summary": "https://bugs.squid-cache.org/show_bug.cgi?id=4957", "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4957" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/429", "url": "https://github.com/squid-cache/squid/pull/429" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/07/msg00006.html", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00006.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/" }, { "category": "external", "summary": "https://seclists.org/bugtraq/2019/Aug/42", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "category": "external", "summary": "https://usn.ubuntu.com/4059-1/", "url": "https://usn.ubuntu.com/4059-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4059-2/", "url": "https://usn.ubuntu.com/4059-2/" }, { "category": "external", "summary": "https://www.debian.org/security/2019/dsa-4507", "url": "https://www.debian.org/security/2019/dsa-4507" } ], "release_date": "2019-07-05T16:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2019-12528", "notes": [ { "category": "description", "text": "An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12528" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2020_2.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_2.txt" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202003-34", "url": "https://security.gentoo.org/glsa/202003-34" }, { "category": "external", "summary": "https://usn.ubuntu.com/4289-1/", "url": "https://usn.ubuntu.com/4289-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2020-02-04T21:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2019-18676", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-18676" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1156329", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/275", "url": "https://github.com/squid-cache/squid/pull/275" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4213-1/", "url": "https://usn.ubuntu.com/4213-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4446-1/", "url": "https://usn.ubuntu.com/4446-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2019-11-26T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2019-18860", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" }, "notes": [ { "category": "description", "text": "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-18860" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/504", "url": "https://github.com/squid-cache/squid/pull/504" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/505", "url": "https://github.com/squid-cache/squid/pull/505" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://usn.ubuntu.com/4356-1/", "url": "https://usn.ubuntu.com/4356-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4732", "url": "https://www.debian.org/security/2020/dsa-4732" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2025/11/04/7", "url": "http://www.openwall.com/lists/oss-security/2025/11/04/7" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2025/11/05/1", "url": "http://www.openwall.com/lists/oss-security/2025/11/05/1" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2025/11/05/7", "url": "http://www.openwall.com/lists/oss-security/2025/11/05/7" } ], "release_date": "2020-03-20T21:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2019-18679", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-18679" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2019_11.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_11.txt" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1156324", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156324" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/491", "url": "https://github.com/squid-cache/squid/pull/491" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202003-34", "url": "https://security.gentoo.org/glsa/202003-34" }, { "category": "external", "summary": "https://usn.ubuntu.com/4213-1/", "url": "https://usn.ubuntu.com/4213-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2019-11-26T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2019-18677", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-18677" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1156328", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/427", "url": "https://github.com/squid-cache/squid/pull/427" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4213-1/", "url": "https://usn.ubuntu.com/4213-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2019-11-26T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2018-19131", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2018-19131" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2018_4.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_4.txt" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch", "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/pull/306", "url": "https://github.com/squid-cache/squid/pull/306" } ], "release_date": "2018-11-09T11:29:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2019-12529", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12529" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/", "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "category": "external", "summary": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch" }, { "category": "external", "summary": "https://github.com/squid-cache/squid/commits/v4", "url": "https://github.com/squid-cache/squid/commits/v4" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "category": "external", "summary": "https://seclists.org/bugtraq/2019/Aug/42", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "category": "external", "summary": "https://usn.ubuntu.com/4065-1/", "url": "https://usn.ubuntu.com/4065-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4065-2/", "url": "https://usn.ubuntu.com/4065-2/" }, { "category": "external", "summary": "https://www.debian.org/security/2019/dsa-4507", "url": "https://www.debian.org/security/2019/dsa-4507" } ], "release_date": "2019-07-11T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2019-12526", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12526" }, { "category": "external", "summary": "http://www.squid-cache.org/Advisories/SQUID-2019_7.txt", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_7.txt" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1156326", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156326" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202003-34", "url": "https://security.gentoo.org/glsa/202003-34" }, { "category": "external", "summary": "https://usn.ubuntu.com/4213-1/", "url": "https://usn.ubuntu.com/4213-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2019-11-26T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-22T17:34:40.580224Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776879277" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els17.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }