PublicDateAtUSN: 2019-11-26 17:15:00 UTC
Candidate: CVE-2019-18679
PublicDate: 2019-11-26 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18679
 http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
 https://ubuntu.com/security/notices/USN-4213-1
Description:
 An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to
 incorrect data management, it is vulnerable to information disclosure when
 processing HTTP Digest Authentication. Nonce tokens contain the raw byte
 value of a pointer that sits within heap memory allocation. This
 information reduces ASLR protections and may aid attackers isolating memory
 areas to target for remote code execution attacks.
Ubuntu-Description:
Notes:
 mdeslaur> same patch as CVE-2019-18678
Mitigation:
Bugs:
Priority: medium
Discovered-by: David Fifield
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_squid3:
upstream_squid3: needs-triage
precise/esm_squid3: ignored (end of ESM support, was needs-triage)
trusty_squid3: ignored (out of standard support)
trusty/esm_squid3: DNE
xenial_squid3: released (3.5.12-1ubuntu7.9)
esm-infra/xenial_squid3: released (3.5.12-1ubuntu7.9)
bionic_squid3: released (3.5.27-1ubuntu1.4)
disco_squid3: DNE
eoan_squid3: DNE
focal_squid3: DNE
groovy_squid3: DNE
hirsute_squid3: DNE
devel_squid3: DNE

Patches_squid:
 upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
upstream_squid: released (4.9-1)
precise/esm_squid: DNE
trusty_squid: ignored (out of standard support)
trusty/esm_squid: DNE
xenial_squid: DNE
bionic_squid: DNE
disco_squid: released (4.4-1ubuntu2.3)
eoan_squid: released (4.8-1ubuntu2.1)
focal_squid: released (4.9-2ubuntu1)
groovy_squid: released (4.9-2ubuntu1)
hirsute_squid: released (4.9-2ubuntu1)
devel_squid: released (4.9-2ubuntu1)