CVE-2019-12526: Buffer Overflow
First published: Tue Nov 26 2019(Updated: )
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Squid-Cache Squid | >=3.0<=3.5.28 | |
| Squid-Cache Squid | >=4.0<=4.8 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| openSUSE Leap | =15.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.4-1ubuntu2.3 | 4.4-1ubuntu2.3 |
| ubuntu/squid | <4.8-1ubuntu2.1 | 4.8-1ubuntu2.1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-1 | 4.9-1 |
| ubuntu/squid3 | <3.5.27-1ubuntu1.4 | 3.5.27-1ubuntu1.4 |
| ubuntu/squid3 | <3.5.12-1ubuntu7.9 | 3.5.12-1ubuntu7.9 |
| debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 4.13-10+deb11u3 5.7-2 5.7-2+deb12u1 6.6-1 6.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
- https://bugzilla.suse.com/show_bug.cgi?id=1156326
- https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
- https://security.gentoo.org/glsa/202003-34
- https://usn.ubuntu.com/4213-1/
- https://www.debian.org/security/2020/dsa-4682
- https://launchpad.net/bugs/cve/CVE-2019-12526
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
- https://security-tracker.debian.org/tracker/CVE-2019-12526
- https://ubuntu.com/security/notices/USN-4213-1
- https://www.cve.org/CVERecord?id=CVE-2019-12526
- https://nvd.nist.gov/vuln/detail/CVE-2019-12526
- https://ubuntu.com/security/CVE-2019-12526
Frequently Asked Questions
What is CVE-2019-12526?
CVE-2019-12526 is a vulnerability in Squid before version 4.9 that allows for a heap-based buffer overflow.
How severe is CVE-2019-12526?
CVE-2019-12526 is classified as critical with a severity value of 9.8.
What software is affected by CVE-2019-12526?
Squid versions up to 4.9-2ubuntu1 and 4.4-1ubuntu2.3 are affected by CVE-2019-12526.
How can I fix CVE-2019-12526?
To fix CVE-2019-12526, update Squid to version 4.9-2ubuntu1 or 4.4-1ubuntu2.3.
Where can I find more information about CVE-2019-12526?
More information about CVE-2019-12526 can be found at the following references: [CVE page](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526), [Squid advisory](http://www.squid-cache.org/Advisories/SQUID-2019_7.txt), [Ubuntu security notice](https://ubuntu.com/security/notices/USN-4213-1).
- collector/nvd-index
- agent/references
- agent/type
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/squid-cache
- canonical/squid-cache squid
- version/squid-cache squid/3.0
- version/squid-cache squid/3.5.28
- version/squid-cache squid/4.0
- version/squid-cache squid/4.8
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- package-manager/debian
- package-manager/ubuntu