CVE-2020-8517
https://notcve.org/view.php?id=CVE-2020-8517
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. Se detectó un problema en Squid versiones anteriores a 4.10. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html http://www.squid-cache.org/Advisories/SQUID-2020_3.txt http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch https://security.gentoo.org/glsa/202003-34 https://security.netapp.com/advisory/ntap-20210304-0002 https://usn.ubuntu.com • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVE-2020-8450 – squid: Buffer overflow in reverse-proxy configurations
https://notcve.org/view.php?id=CVE-2020-8450
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy. Se detectó un problema en Squid versiones anteriores a 4.10. Debido a una administración del búfer incorrecta, un cliente remoto puede causar un desbordamiento del búfer en una instancia de Squid que actúa como un proxy inverso. A flaw was found in squid. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html http://www.squid-cache.org/Advisories/SQUID-2020_1.txt http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch http://www.squid-cache.org/Versions • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVE-2020-8449 – squid: Improper input validation issues in HTTP Request processing
https://notcve.org/view.php?id=CVE-2020-8449
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters. Se detectó un problema en Squid versiones anteriores a 4.10. Debido a una comprobación de entrada incorrecta, puede interpretar las peticiones HTTP diseñadas de manera no prevista para acceder a recursos del servidor prohibidos por parte de los filtros de seguridad anteriores. A flaw was found in squid. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html http://www.squid-cache.org/Advisories/SQUID-2020_1.txt http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch http://www.squid-cache.org/Versions • CWE-20: Improper Input Validation CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2019-12526 – squid: Heap overflow issue in URN processing
https://notcve.org/view.php?id=CVE-2019-12526
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap. Se detectó un problema en Squid versiones anteriores a 4.9. • http://www.squid-cache.org/Advisories/SQUID-2019_7.txt https://bugzilla.suse.com/show_bug.cgi?id=1156326 https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67 https://security.gentoo.org • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2019-12523 – squid: Improper input validation in URI processor
https://notcve.org/view.php?id=CVE-2019-12523
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost. Se detectó un problema en Squid versiones anteriores a 4.9. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html http://www.squid-cache.org/Advisories/SQUID-2019_8.txt https://bugzilla.suse.com/show_bug.cgi?id=1156329 https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67 https://usn.ubuntu.com& • CWE-20: Improper Input Validation •