[ASA-201907-5] squid: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Wed Jul 17 15:33:36 UTC 2019


Arch Linux Security Advisory ASA-201907-5
=========================================

Severity: Critical
Date    : 2019-07-17
CVE-ID  : CVE-2019-12527
Package : squid
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1004

Summary
=======

The package squid before version 4.8-1 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 4.8-1.

# pacman -Syu "squid>=4.8-1"

The problem has been fixed upstream in version 4.8.

Workaround
==========

None.

Description
===========

Due to incorrect buffer management Squid versions prior to 4.8 are
vulnerable to a heap overflow and possible remote code execution attack
when processing HTTP Authentication credentials.

Impact
======

A remote attacker can execute arbitrary code via crafted HTTP requests.

References
==========

http://www.squid-cache.org/Advisories/SQUID-2019_5.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch
https://security.archlinux.org/CVE-2019-12527

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190717/9b869d59/attachment.sig>


More information about the arch-security mailing list