{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2019-12521: fix ESI parser off-by-one heap overflow by enforcing a\n stack-depth limit and throwing on overflow\n- CVE-2019-12524 already addressed by the CVE-2019-12520 backport (same\n fix upstream; see Squid advisory SQUID-2019:4)", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777384121", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777384121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/oraclelinux6els/advisories/2026/clsa-2026_1777384121.json" } ], "tracking": { "current_release_date": "2026-04-28T13:49:14Z", "generator": { "date": "2026-04-28T13:49:14Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1777384121", "initial_release_date": "2026-04-28T13:49:14Z", "revision_history": [ { "date": "2026-04-28T13:49:14Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "squid: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux 6", "product": { "name": "Oracle Linux 6", "product_id": "Oracle-Linux-6", "product_identification_helper": { "cpe": "cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Oracle Linux" } ], "category": "vendor", "name": "Oracle Corporation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "squid-7:3.1.23-30.el6.tuxcare.els18.x86_64", "product": { "name": "squid-7:3.1.23-30.el6.tuxcare.els18.x86_64", "product_id": "squid-7:3.1.23-30.el6.tuxcare.els18.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/squid@3.1.23-30.el6.tuxcare.els18?arch=x86_64&epoch=7" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "squid-7:3.1.23-30.el6.tuxcare.els18.x86_64 as a component of Oracle Linux 6", "product_id": "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" }, "product_reference": "squid-7:3.1.23-30.el6.tuxcare.els18.x86_64", "relates_to_product_reference": "Oracle-Linux-6" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-12524", "cwe": { "id": "CWE-306", "name": "Missing Authentication for Critical Function" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12524" }, { "category": "external", "summary": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210205-0006/", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4446-1/", "url": "https://usn.ubuntu.com/4446-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2020-04-15T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-28T13:48:44.194316Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777384121", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777384121" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2019-12521", "cwe": { "id": "CWE-193", "name": "Off-by-one Error" }, "notes": [ { "category": "description", "text": "An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12521" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2020/04/23/1", "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "category": "external", "summary": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202005-05", "url": "https://security.gentoo.org/glsa/202005-05" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210205-0006/", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4356-1/", "url": "https://usn.ubuntu.com/4356-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4682", "url": "https://www.debian.org/security/2020/dsa-4682" } ], "release_date": "2020-04-15T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-28T13:48:44.194316Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777384121", "product_ids": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777384121" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-6:squid-7:3.1.23-30.el6.tuxcare.els18.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }