OpenSUSE Linux update for squid

Published: 2018-11-21 09:53:23
Severity Medium
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-19131
CVE-2018-19132
CVSSv3 4.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-79
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software Opensuse
Vulnerable software versions Opensuse 15.0
Vendor URL Novell

Security Advisory

1) Cross-site scripting

Description

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing a specially crafted X.509 certificate during HTTP(S) error page generation for certificate errors. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Update the affected packages.

External links

https://lists.opensuse.org/opensuse-security-announce/2018-11/msg00029.html

2) Memory leak

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to memory leak when processing SNMP requests. A remote attacker can send a specially crafted SNMP request via the proxy server, trigger excessive consumption of memory resources on the system and denial of service conditions.

Remediation

Update the affected packages.

External links

https://lists.opensuse.org/opensuse-security-announce/2018-11/msg00029.html

Back to List