[squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

TarotApprentice tarotapprentice at yahoo.com
Sun Apr 19 08:18:20 UTC 2020


I am not sure if you have any contact with the Debian maintainers. I raised a bug with Debian in March asking for 4.10 to get promoted to buster-backports on the grounds of security fixes. If we’re on the stable release (buster) we are stuck with 4.6 until the next stable release (up to 2 years), use the testing release which has other changes or we have to compile our own.

Link to bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954488

MarkJ 


> On 19 Apr 2020, at 1:33 pm, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> 
>> On 19/04/20 6:52 am, Marcus Kool wrote:
>> Amos,
>> The latest version of Squid is 4.10.  Do you mean "fixed in 4.10"
>> instead of "fixed in 4.8" ?
>> 
> 
> No, these CVE were fixed in 4.8. The advisory was embargoed for another
> issue, which is has taken too long and now going to be fixed in a later
> release.
> 
> Amos
> 
> 
> 
>> Thanks,
>> Marcus
>> 
>>> On 18/04/2020 14:10, Amos Jeffries wrote:
>>> __________________________________________________________________
>>> 
>>>      Squid Proxy Cache Security Update Advisory SQUID-2019:4
>>> __________________________________________________________________
>>> 
>>> Advisory ID:        SQUID-2019:4
>>> Date:               April 18, 2020
>>> Summary:            Multiple Issues
>>>                      in HTTP Request processing.
>>> Affected versions:  Squid 3.5.18 -> 3.5.28
>>>                      Squid 4.0.10 -> 4.7
>>> Fixed in version:   Squid 4.8
>>> __________________________________________________________________
>>> 
>>>      http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
>>>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12520
>>>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12524
>>> __________________________________________________________________
>>> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200419/49490f84/attachment-0002.html>


More information about the squid-users mailing list