CVE-2019-18679

CVE-2019-18679

Name

CVE-2019-18679

Description

An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://github.com/squid-cache/squid/pull/491
Third Party Advisory	http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
Release Notes	http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
Issue Tracking	https://bugzilla.suse.com/show_bug.cgi?id=1156324
Third Party Advisory	https://usn.ubuntu.com/4213-1/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
GENTOO	https://security.gentoo.org/glsa/202003-34
DEBIAN	https://www.debian.org/security/2020/dsa-4682
MLIST	https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Type

URI

Patch

https://github.com/squid-cache/squid/pull/491

Third Party Advisory

http://www.squid-cache.org/Advisories/SQUID-2019_11.txt

Release Notes

http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1156324

Third Party Advisory

https://usn.ubuntu.com/4213-1/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html

GENTOO

https://security.gentoo.org/glsa/202003-34

DEBIAN

https://www.debian.org/security/2020/dsa-4682

MLIST

https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:squid-cache:squid::::::::`	squid	>= 2.0	<= 2.7
`cpe:2.3:a:squid-cache:squid:2.7:stable2::::::`	squid	== None	== 2.7
`cpe:2.3:a:squid-cache:squid::::::::`	squid	>= 3.0	<= 3.5.28
`cpe:2.3:a:squid-cache:squid::::::::`	squid	>= 4.0	<= 4.8

CPE URI

Source package

Min version

Max version

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

squid

>= 2.0

<= 2.7

cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*

squid

== None

== 2.7

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

squid

>= 3.0

<= 3.5.28

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

squid

>= 4.0

<= 4.8

References

Match rules

Vulnerable and fixed packages