I. Overview

A heap overflow vulnerability (CVE-2019-12526) has recently released by Squid. Due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing URN.

Therefore, we kindly remind you to arrange self-check and implement timely security hardening.

Reference links:

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Product

Affected versions:

All Squid-3.x up to and including 3.5.28

All Squid-4.x up to and including 4.8

Secure versions:

Squid 4.9

(Note: All Squid-2.x versions are not affected by this vulnerability.)

IV. Solutions

This vulnerability has been fixed in the latest official version 4.9. If your service version falls into the affected range, upgrade it to the latest version.

Download link: http://www.squid-cache.org/Versions/v4/

Workarounds

Deny URN. The configuration is as follows:

acl URN proto URN

http_access deny URN

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.