SUSE-SU-2020:14460-1 -- SLES squid3ID: oval:org.secpod.oval:def:89000262 | Date: (C)2021-02-24 (M)2024-05-09 |
Class: PATCH | Family: unix |
This update for squid3 fixes the following issues: - Fixed a Cache Poisoning and Request Smuggling attack - Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses - Fixed handling of hostname in cachemgr.cgi - Fixed a potential remote execution vulnerability when using HTTP Digest Authentication - Fixed a potential ACL bypass, cache-bypass and cross-site scripting attack when processing invalid HTTP Request messages - Fixed a potential denial of service when processing TLS certificates during HTTPS connections - Fixed a potential denial of service associated with incorrect buffer management of HTTP Basic Authentication credentials - Fixed an incorrect buffer management resulting in vulnerability to a denial of service during processing of HTTP Digest Authentication credentials - Fix XSS via user_name or auth parameter in cachemgr.cgi - Fixed a potential code execution vulnerability - Fixed HTTP Request Splitting in HTTP message processing and information disclosure in HTTP Digest Authentication - Fixed a security issue allowing a remote client ability to cause use a buffer overflow when squid is acting as reverse-proxy. - Fixed a security issue allowing for information disclosure in FTP gateway - Fixed a security issue in ext_lm_group_acl when processing NTLM Authentication credentials. - Fixed Cross-Site Request Forgery in HTTP Request processing - Disable urn parsing and parsing of unknown schemes
Platform: |
SUSE Linux Enterprise Server 11 SP4 |