PublicDateAtUSN: 2019-11-26 17:15:00 UTC
Candidate: CVE-2019-18677
PublicDate: 2019-11-26 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18677
 http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
 https://ubuntu.com/security/notices/USN-4213-1
Description:
 An issue was discovered in Squid 3.x and 4.x through 4.8 when the
 append_domain setting is used (because the appended characters do not
 properly interact with hostname length restrictions). Due to incorrect
 message processing, it can inappropriately redirect traffic to origins it
 should not be delivered to.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Kristoffer Danielsson
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_squid3:
 upstream: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch
upstream_squid3: needs-triage
precise/esm_squid3: ignored (end of ESM support, was needs-triage)
trusty_squid3: ignored (out of standard support)
trusty/esm_squid3: DNE
xenial_squid3: released (3.5.12-1ubuntu7.9)
esm-infra/xenial_squid3: released (3.5.12-1ubuntu7.9)
bionic_squid3: released (3.5.27-1ubuntu1.4)
disco_squid3: DNE
eoan_squid3: DNE
focal_squid3: DNE
groovy_squid3: DNE
hirsute_squid3: DNE
devel_squid3: DNE

Patches_squid:
 upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch
upstream_squid: released (4.9-1)
precise/esm_squid: DNE
trusty_squid: ignored (out of standard support)
trusty/esm_squid: DNE
xenial_squid: DNE
bionic_squid: DNE
disco_squid: released (4.4-1ubuntu2.3)
eoan_squid: released (4.8-1ubuntu2.1)
focal_squid: released (4.9-2ubuntu1)
groovy_squid: released (4.9-2ubuntu1)
hirsute_squid: released (4.9-2ubuntu1)
devel_squid: released (4.9-2ubuntu1)