FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squid -- Vulnerable to HTTP Digest Authentication

Affected packages
squid < 4.9

Details

VuXML ID 620685d6-0aa3-11ea-9673-4c72b94353b5
Discovery 2019-11-05
Entry 2019-11-19

Squid Team reports:

Problem Description: Due to incorrect data management Squid is vulnerable to a information disclosure when processing HTTP Digest Authentication.

Severity: Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.

References

CVE Name CVE-2019-18679
URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18679
URL http://www.squid-cache.org/Advisories/SQUID-2019_11.txt