PublicDateAtUSN: 2019-11-26 17:15:00 UTC
Candidate: CVE-2019-12526
PublicDate: 2019-11-26 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526
 http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
 https://ubuntu.com/security/notices/USN-4213-1
Description:
 An issue was discovered in Squid before 4.9. URN response handling in Squid
 suffers from a heap-based buffer overflow. When receiving data from a
 remote server in response to an URN request, Squid fails to ensure that the
 response can fit within the buffer. This leads to attacker controlled data
 overflowing in the heap.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Jeriko One
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_squid3:
upstream_squid3: needs-triage
precise/esm_squid3: ignored (end of ESM support, was needs-triage)
trusty_squid3: ignored (out of standard support)
trusty/esm_squid3: DNE
xenial_squid3: released (3.5.12-1ubuntu7.9)
esm-infra/xenial_squid3: released (3.5.12-1ubuntu7.9)
bionic_squid3: released (3.5.27-1ubuntu1.4)
disco_squid3: DNE
eoan_squid3: DNE
focal_squid3: DNE
groovy_squid3: DNE
hirsute_squid3: DNE
devel_squid3: DNE

Patches_squid:
 upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
upstream_squid: released (4.9-1)
precise/esm_squid: DNE
trusty_squid: ignored (out of standard support)
trusty/esm_squid: DNE
xenial_squid: DNE
bionic_squid: DNE
disco_squid: released (4.4-1ubuntu2.3)
eoan_squid: released (4.8-1ubuntu2.1)
focal_squid: released (4.9-2ubuntu1)
groovy_squid: released (4.9-2ubuntu1)
hirsute_squid: released (4.9-2ubuntu1)
devel_squid: released (4.9-2ubuntu1)