SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2020:14460-1)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.4.2020.14460.1

Kategorie: SuSE Local Security Checks

Titel: SUSE: Security Advisory (SUSE-SU-2020:14460-1)

Zusammenfassung: The remote host is missing an update for the 'squid3' package(s) announced via the SUSE-SU-2020:14460-1 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'squid3' package(s) announced via the SUSE-SU-2020:14460-1 advisory.

Vulnerability Insight:
This update for squid3 fixes the following issues:

Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049,
bsc#1173455)

Fixed incorrect buffer handling that can result in cache poisoning,
remote execution, and denial of service attacks when processing ESI
responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659)

Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373)

Fixed a potential remote execution vulnerability when using HTTP Digest
Authentication (CVE-2020-11945, bsc#1170313)

Fixed a potential ACL bypass, cache-bypass and cross-site scripting
attack when processing invalid HTTP Request messages (CVE-2019-12520,
CVE-2019-12524, bsc#1170423)

Fixed a potential denial of service when processing TLS certificates
during HTTPS connections (CVE-2020-14059, bsc#1173304)

Fixed a potential denial of service associated with incorrect buffer
management of HTTP Basic Authentication credentials (bsc#1141329,
CVE-2019-12529)

Fixed an incorrect buffer management resulting in vulnerability to a
denial of service during processing of HTTP Digest Authentication
credentials (bsc#1141332, CVE-2019-12525)

Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738,
CVE-2019-13345)

Fixed a potential code execution vulnerability (CVE-2019-12526,
bsc#1156326)

Fixed HTTP Request Splitting in HTTP message processing and information
disclosure in HTTP Digest Authentication (CVE-2019-18678,
CVE-2019-18679, bsc#1156323, bsc#1156324)

Fixed a security issue allowing a remote client ability to cause use a
buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449,
CVE-2020-8450, bsc#1162687)

Fixed a security issue allowing for information disclosure in FTP
gateway (CVE-2019-12528, bsc#1162689)

Fixed a security issue in ext_lm_group_acl when processing NTLM
Authentication credentials. (CVE-2020-8517, bsc#1162691)

Fixed Cross-Site Request Forgery in HTTP Request processing
(CVE-2019-18677, bsc#1156328)

Disable urn parsing and parsing of unknown schemes (bsc#1156329,
CVE-2019-12523, CVE-2019-18676)

Affected Software/OS:
'squid3' package(s) on SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SP4.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2020-8449
Debian Security Information: DSA-4682 (Google Search)
https://www.debian.org/security/2020/dsa-4682
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/
https://security.gentoo.org/glsa/202003-34
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
SuSE Security Announcement: openSUSE-SU-2020:0307 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html
SuSE Security Announcement: openSUSE-SU-2020:0606 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html
https://usn.ubuntu.com/4289-1/
Common Vulnerability Exposure (CVE) ID: CVE-2020-8450
Common Vulnerability Exposure (CVE) ID: CVE-2020-8517
http://www.squid-cache.org/Advisories/SQUID-2020_3.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch
SuSE Security Announcement: openSUSE-SU-2020:0623 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html

Copyright Copyright (C) 2021 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.4.2020.14460.1
Kategorie:	SuSE Local Security Checks
Titel:	SUSE: Security Advisory (SUSE-SU-2020:14460-1)
Zusammenfassung:	The remote host is missing an update for the 'squid3' package(s) announced via the SUSE-SU-2020:14460-1 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'squid3' package(s) announced via the SUSE-SU-2020:14460-1 advisory. Vulnerability Insight: This update for squid3 fixes the following issues: Fixed a Cache Poisoning and Request Smuggling attack (CVE-2020-15049, bsc#1173455) Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (CVE-2019-12519, CVE-2019-12521, bsc#1169659) Fixed handling of hostname in cachemgr.cgi (CVE-2019-18860, bsc#1167373) Fixed a potential remote execution vulnerability when using HTTP Digest Authentication (CVE-2020-11945, bsc#1170313) Fixed a potential ACL bypass, cache-bypass and cross-site scripting attack when processing invalid HTTP Request messages (CVE-2019-12520, CVE-2019-12524, bsc#1170423) Fixed a potential denial of service when processing TLS certificates during HTTPS connections (CVE-2020-14059, bsc#1173304) Fixed a potential denial of service associated with incorrect buffer management of HTTP Basic Authentication credentials (bsc#1141329, CVE-2019-12529) Fixed an incorrect buffer management resulting in vulnerability to a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332, CVE-2019-12525) Fix XSS via user_name or auth parameter in cachemgr.cgi (bsc#1140738, CVE-2019-13345) Fixed a potential code execution vulnerability (CVE-2019-12526, bsc#1156326) Fixed HTTP Request Splitting in HTTP message processing and information disclosure in HTTP Digest Authentication (CVE-2019-18678, CVE-2019-18679, bsc#1156323, bsc#1156324) Fixed a security issue allowing a remote client ability to cause use a buffer overflow when squid is acting as reverse-proxy. (CVE-2020-8449, CVE-2020-8450, bsc#1162687) Fixed a security issue allowing for information disclosure in FTP gateway (CVE-2019-12528, bsc#1162689) Fixed a security issue in ext_lm_group_acl when processing NTLM Authentication credentials. (CVE-2020-8517, bsc#1162691) Fixed Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677, bsc#1156328) Disable urn parsing and parsing of unknown schemes (bsc#1156329, CVE-2019-12523, CVE-2019-18676) Affected Software/OS: 'squid3' package(s) on SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SP4. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2020-8449 Debian Security Information: DSA-4682 (Google Search) https://www.debian.org/security/2020/dsa-4682 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/ https://security.gentoo.org/glsa/202003-34 http://www.squid-cache.org/Advisories/SQUID-2020_1.txt http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html SuSE Security Announcement: openSUSE-SU-2020:0307 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html SuSE Security Announcement: openSUSE-SU-2020:0606 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html https://usn.ubuntu.com/4289-1/ Common Vulnerability Exposure (CVE) ID: CVE-2020-8450 Common Vulnerability Exposure (CVE) ID: CVE-2020-8517 http://www.squid-cache.org/Advisories/SQUID-2020_3.txt http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch SuSE Security Announcement: openSUSE-SU-2020:0623 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html
Copyright	Copyright (C) 2021 Greenbone Networks GmbH