squid-3.5.20-15.el7

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

* squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service (CVE-2018-1000024)

* squid: Incorrect pointer handling in HTTP processing and certificate download can lead to denial of service (CVE-2018-1000027)

* squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.8 Release Notes linked from the References section.

CVE-2018-1000024
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
CVE-2018-1000027
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.
CVE-2019-13345
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.