Security update for squid3

Announcement ID:	SUSE-SU-2020:14460-1
Rating:	important
References:	bsc#1140738 bsc#1141329 bsc#1141332 bsc#1156323 bsc#1156324 bsc#1156326 bsc#1156328 bsc#1156329 bsc#1162687 bsc#1162689 bsc#1162691 bsc#1167373 bsc#1169659 bsc#1170313 bsc#1170423 bsc#1173304 bsc#1173455
Cross-References:	CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12525 CVE-2019-12526 CVE-2019-12528 CVE-2019-12529 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860 CVE-2020-11945 CVE-2020-14059 CVE-2020-15049 CVE-2020-8449 CVE-2020-8450 CVE-2020-8517
CVSS scores:	CVE-2019-12519 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H CVE-2019-12519 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12520 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVE-2019-12520 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-12521 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-12521 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-12523 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2019-12523 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2019-12524 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVE-2019-12524 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12525 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-12525 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12525 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12526 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12526 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12528 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-12528 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-12529 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2019-12529 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-12529 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-13345 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2019-13345 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-18676 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-18676 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-18677 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2019-18677 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-18678 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2019-18678 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2019-18679 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-18679 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-18860 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2019-18860 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-11945 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-11945 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-14059 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-14059 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-15049 ( SUSE ): 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-15049 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-8449 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-8450 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8450 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8517 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-8517 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 11 SP4 LTSS 11-SP4

An update that solves 21 vulnerabilities can now be installed.

Description:

This update for squid3 fixes the following issues:

• Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049, bsc#1173455)

• Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659)

• Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373)

• Fixed a potential remote execution vulnerability when using HTTP Digest Authentication (CVE-2020-11945, bsc#1170313)
• Fixed a potential ACL bypass, cache-bypass and cross-site scripting attack when processing invalid HTTP Request messages (CVE-2019-12520, CVE-2019-12524, bsc#1170423)

• Fixed a potential denial of service when processing TLS certificates during HTTPS connections (CVE-2020-14059, bsc#1173304)

• Fixed a potential denial of service associated with incorrect buffer management of HTTP Basic Authentication credentials (bsc#1141329, CVE-2019-12529)

• Fixed an incorrect buffer management resulting in vulnerability to a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332, CVE-2019-12525)
• Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738, CVE-2019-13345)
• Fixed a potential code execution vulnerability (CVE-2019-12526, bsc#1156326)
• Fixed HTTP Request Splitting in HTTP message processing and information disclosure in HTTP Digest Authentication (CVE-2019-18678, CVE-2019-18679, bsc#1156323, bsc#1156324)
• Fixed a security issue allowing a remote client ability to cause use a buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449, CVE-2020-8450, bsc#1162687)
• Fixed a security issue allowing for information disclosure in FTP gateway (CVE-2019-12528, bsc#1162689)

• Fixed a security issue in ext_lm_group_acl when processing NTLM Authentication credentials. (CVE-2020-8517, bsc#1162691)

• Fixed Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677, bsc#1156328)

• Disable urn parsing and parsing of unknown schemes (bsc#1156329, CVE-2019-12523, CVE-2019-18676)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Point of Service 11 SP3
  zypper in -t patch sleposp3-squid3-14460=1
• SUSE Linux Enterprise Server 11 SP4 LTSS 11-SP4
  zypper in -t patch slessp4-squid3-14460=1
• SUSE Linux Enterprise Server 11 SP4
  zypper in -t patch slessp4-squid3-14460=1

Package List:

• SUSE Linux Enterprise Point of Service 11 SP3 (i586)
  • squid3-3.1.23-8.16.37.12.1
• SUSE Linux Enterprise Server 11 SP4 LTSS 11-SP4 (ppc64 s390x x86_64 i586)
  • squid3-3.1.23-8.16.37.12.1
• SUSE Linux Enterprise Server 11 SP4 (ppc64 s390x x86_64 i586)
  • squid3-3.1.23-8.16.37.12.1

References:

• https://www.suse.com/security/cve/CVE-2019-12519.html
• https://www.suse.com/security/cve/CVE-2019-12520.html
• https://www.suse.com/security/cve/CVE-2019-12521.html
• https://www.suse.com/security/cve/CVE-2019-12523.html
• https://www.suse.com/security/cve/CVE-2019-12524.html
• https://www.suse.com/security/cve/CVE-2019-12525.html
• https://www.suse.com/security/cve/CVE-2019-12526.html
• https://www.suse.com/security/cve/CVE-2019-12528.html
• https://www.suse.com/security/cve/CVE-2019-12529.html
• https://www.suse.com/security/cve/CVE-2019-13345.html
• https://www.suse.com/security/cve/CVE-2019-18676.html
• https://www.suse.com/security/cve/CVE-2019-18677.html
• https://www.suse.com/security/cve/CVE-2019-18678.html
• https://www.suse.com/security/cve/CVE-2019-18679.html
• https://www.suse.com/security/cve/CVE-2019-18860.html
• https://www.suse.com/security/cve/CVE-2020-11945.html
• https://www.suse.com/security/cve/CVE-2020-14059.html
• https://www.suse.com/security/cve/CVE-2020-15049.html
• https://www.suse.com/security/cve/CVE-2020-8449.html
• https://www.suse.com/security/cve/CVE-2020-8450.html
• https://www.suse.com/security/cve/CVE-2020-8517.html
• https://bugzilla.suse.com/show_bug.cgi?id=1140738
• https://bugzilla.suse.com/show_bug.cgi?id=1141329
• https://bugzilla.suse.com/show_bug.cgi?id=1141332
• https://bugzilla.suse.com/show_bug.cgi?id=1156323
• https://bugzilla.suse.com/show_bug.cgi?id=1156324
• https://bugzilla.suse.com/show_bug.cgi?id=1156326
• https://bugzilla.suse.com/show_bug.cgi?id=1156328
• https://bugzilla.suse.com/show_bug.cgi?id=1156329
• https://bugzilla.suse.com/show_bug.cgi?id=1162687
• https://bugzilla.suse.com/show_bug.cgi?id=1162689
• https://bugzilla.suse.com/show_bug.cgi?id=1162691
• https://bugzilla.suse.com/show_bug.cgi?id=1167373
• https://bugzilla.suse.com/show_bug.cgi?id=1169659
• https://bugzilla.suse.com/show_bug.cgi?id=1170313
• https://bugzilla.suse.com/show_bug.cgi?id=1170423
• https://bugzilla.suse.com/show_bug.cgi?id=1173304
• https://bugzilla.suse.com/show_bug.cgi?id=1173455