[SECURITY] [DSA 4507-1] squid security update

2019-08-2411:46:36

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Debian Security Advisory DSA-4507-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
August 24, 2019 https://www.debian.org/security/faq

Package : squid
CVE ID : CVE-2019-12525 CVE-2019-12527 CVE-2019-12529 CVE-2019-12854
CVE-2019-13345
Debian Bug : 931478

Several vulnerabilities were discovered in Squid, a fully featured web
proxy cache. The flaws in the HTTP Digest Authentication processing, the
HTTP Basic Authentication processing and in the cachemgr.cgi allowed
remote attackers to perform denial of service and cross-site scripting
attacks, and potentially the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u1.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian10armhfsquid-purge< 4.6-1+deb10u1squid-purge_4.6-1+deb10u1_armhf.deb
Debian9arm64squidclient< 3.5.23-5+deb9u2squidclient_3.5.23-5+deb9u2_arm64.deb
Debian9amd64squidclient< 3.5.23-5+deb9u2squidclient_3.5.23-5+deb9u2_amd64.deb
Debian10mipselsquid-dbgsym< 4.6-1+deb10u1squid-dbgsym_4.6-1+deb10u1_mipsel.deb
Debian10armelsquidclient-dbgsym< 4.6-1+deb10u1squidclient-dbgsym_4.6-1+deb10u1_armel.deb
Debian10amd64squid-dbgsym< 4.6-1+deb10u1squid-dbgsym_4.6-1+deb10u1_amd64.deb
Debian8armelsquid-cgi< 3.4.8-6+deb8u7squid-cgi_3.4.8-6+deb8u7_armel.deb
Debian10armhfsquid-purge-dbgsym< 4.6-1+deb10u1squid-purge-dbgsym_4.6-1+deb10u1_armhf.deb
Debian10allsquid3< 4.6-1+deb10u1squid3_4.6-1+deb10u1_all.deb
Debian10mipssquid-cgi-dbgsym< 4.6-1+deb10u1squid-cgi-dbgsym_4.6-1+deb10u1_mips.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	armhf	squid-purge	< 4.6-1+deb10u1	squid-purge_4.6-1+deb10u1_armhf.deb
Debian	9	arm64	squidclient	< 3.5.23-5+deb9u2	squidclient_3.5.23-5+deb9u2_arm64.deb
Debian	9	amd64	squidclient	< 3.5.23-5+deb9u2	squidclient_3.5.23-5+deb9u2_amd64.deb
Debian	10	mipsel	squid-dbgsym	< 4.6-1+deb10u1	squid-dbgsym_4.6-1+deb10u1_mipsel.deb
Debian	10	armel	squidclient-dbgsym	< 4.6-1+deb10u1	squidclient-dbgsym_4.6-1+deb10u1_armel.deb
Debian	10	amd64	squid-dbgsym	< 4.6-1+deb10u1	squid-dbgsym_4.6-1+deb10u1_amd64.deb
Debian	8	armel	squid-cgi	< 3.4.8-6+deb8u7	squid-cgi_3.4.8-6+deb8u7_armel.deb
Debian	10	armhf	squid-purge-dbgsym	< 4.6-1+deb10u1	squid-purge-dbgsym_4.6-1+deb10u1_armhf.deb
Debian	10	all	squid3	< 4.6-1+deb10u1	squid3_4.6-1+deb10u1_all.deb
Debian	10	mips	squid-cgi-dbgsym	< 4.6-1+deb10u1	squid-cgi-dbgsym_4.6-1+deb10u1_mips.deb