squid-3.5.20-15.el7
エラータID: AXSA:2020-4563:01
リリース日:
2020/04/02 Thursday - 08:10
題名:
squid-3.5.20-15.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- squid には ESI レスポンス処理に誤ったポインタ処理が含まれており、プロキシを用いている
すべてのクライアントにサービス拒否を引き起こす脆弱性があります。(CVE-2018-1000024)
- squid には HTTP レスポンス X-Forwarded-For ヘッダの処理にヌルポインタデリファレンスの
問題があり、プロキシのすべてのクライアントにサービス拒否を引き起こす脆弱性があります。
(CVE-2018-1000027)
- squid の cachemgr.cgi web モジュールには user_name あるいは auth パラメータによって
クロスサイトスクリプティングの脆弱性があります。(CVE-2019-13345)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2018-1000024
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
CVE-2018-1000027
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.
CVE-2019-13345
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
追加情報:
N/A
ダウンロード:
SRPMS
- squid-3.5.20-15.el7.src.rpm
MD5: a8438860e3c5876411dc9aae42e3b9b3
SHA-256: 195e52886962ec17cd56758389809822520394306a9650d5fe024c5343a80229
Size: 2.31 MB
Asianux Server 7 for x86_64
- squid-3.5.20-15.el7.x86_64.rpm
MD5: ad04a5a62cb6a3783030f3c020520146
SHA-256: c63157560087cf975d500741121ae66d65e6ec16ffe361edc24c2fd901205f92
Size: 3.13 MB - squid-migration-script-3.5.20-15.el7.x86_64.rpm
MD5: 18984fcb4e09917389ba3d809b0227bc
SHA-256: 3f660bcf4581bb9dbbedf13ce4e770839d8925dd0aaa6549a710d0a8b842a084
Size: 48.32 kB