CVE-2019-12529
First published: Thu Jul 11 2019(Updated: )
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Squid-Cache Squid | >=2.0<2.7 | |
| Squid-Cache Squid | >=3.0<=3.5.28 | |
| Squid-Cache Squid | >=4.0<=4.7 | |
| Squid-Cache Squid | =2.7-stable1 | |
| Squid-Cache Squid | =2.7-stable2 | |
| Squid-Cache Squid | =2.7-stable3 | |
| Squid-Cache Squid | =2.7-stable4 | |
| Squid-Cache Squid | =2.7-stable5 | |
| Squid-Cache Squid | =2.7-stable6 | |
| Squid-Cache Squid | =2.7-stable7 | |
| Squid-Cache Squid | =2.7-stable8 | |
| Squid-Cache Squid | =2.7-stable9 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =29 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| debian/squid | 4.13-10+deb11u3 5.7-2+deb12u2 6.10-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html
- http://www.squid-cache.org/Versions/v4/changesets/
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch
- https://github.com/squid-cache/squid/commits/v4
- https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/
- https://seclists.org/bugtraq/2019/Aug/42
- https://usn.ubuntu.com/4065-1/
- https://usn.ubuntu.com/4065-2/
- https://www.debian.org/security/2019/dsa-4507
- https://launchpad.net/bugs/cve/CVE-2019-12529
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/
- http://www.squid-cache.org/Advisories/SQUID-2019_2.txt
- https://security-tracker.debian.org/tracker/CVE-2019-12529
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
- https://nvd.nist.gov/vuln/detail/CVE-2019-12529
- https://ubuntu.com/security/CVE-2019-12529
Frequently Asked Questions
What is the severity of CVE-2019-12529?
The severity of CVE-2019-12529 is medium.
How does CVE-2019-12529 affect Squid?
CVE-2019-12529 affects Squid versions 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7.
How is Proxy-Authorization header parsed in Squid?
Proxy-Authorization header is parsed via uudecode in Squid.
What is the recommended remedy for CVE-2019-12529 on Ubuntu?
The recommended remedy for CVE-2019-12529 on Ubuntu is to update to the latest version of squid or squid3.
Where can I find more information about CVE-2019-12529?
You can find more information about CVE-2019-12529 at the official website of Squid and the security announcement links provided.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/event
- agent/trending
- vendor/squid-cache
- canonical/squid-cache squid
- version/squid-cache squid/2.0
- version/squid-cache squid/3.0
- version/squid-cache squid/3.5.28
- version/squid-cache squid/4.0
- version/squid-cache squid/4.7
- version/squid-cache squid/2.7-stable1
- version/squid-cache squid/2.7-stable2
- version/squid-cache squid/2.7-stable3
- version/squid-cache squid/2.7-stable4
- version/squid-cache squid/2.7-stable5
- version/squid-cache squid/2.7-stable6
- version/squid-cache squid/2.7-stable7
- version/squid-cache squid/2.7-stable8
- version/squid-cache squid/2.7-stable9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- package-manager/debian