SB2019111122 - Information disclosure in squid (Alpine package)
Published: November 11, 2019
Security Bulletin ID
SB2019111122
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2019-18679)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect data management when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This allows a remote attacker to gain knowledge of memory allocations and bypass ASLR protection and help in exploitation of other vulnerabilities.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=3db264c1978654cc19d61a5feaf1b0ee54e0a85b
- https://git.alpinelinux.org/aports/commit/?id=225360732093a00d6a58a6e626b26e6794a4739c
- https://git.alpinelinux.org/aports/commit/?id=a4301166888c0e2c8a72be8e5d3ec1747a6ab6bf
- https://git.alpinelinux.org/aports/commit/?id=a2e4a10786598b2f40879a608a3090b4f1242065
- https://git.alpinelinux.org/aports/commit/?id=e669c04c87f3b6f9826273154aebe26e89d75dc8
- https://git.alpinelinux.org/aports/commit/?id=49fa120aba707913031864610f9f1e8c9611cc06
- https://git.alpinelinux.org/aports/commit/?id=9655dce42705c52e44b4db28575cc7e05835bdc9
- https://git.alpinelinux.org/aports/commit/?id=c960394d423ce258a68bf53364ae13b6e331d8fe