squid-3.5.22-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10307-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z squid-3.5.22-1.1 on GA media These are all security issues fixed in the squid-3.5.22-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10307 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2012-5643/ SUSE CVE CVE-2012-5643 page https://www.suse.com/security/cve/CVE-2014-7141/ SUSE CVE CVE-2014-7141 page https://www.suse.com/security/cve/CVE-2014-7142/ SUSE CVE CVE-2014-7142 page https://www.suse.com/security/cve/CVE-2015-5400/ SUSE CVE CVE-2015-5400 page openSUSE Tumbleweed squid-3.5.22-1.1 squid-3.5.22-1.1 as a component of openSUSE Tumbleweed Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials. CVE-2012-5643 openSUSE Tumbleweed:squid-3.5.22-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5643.html CVE-2012-5643 https://bugzilla.suse.com/794954 SUSE Bug 794954 https://bugzilla.suse.com/796999 SUSE Bug 796999 The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet. CVE-2014-7141 openSUSE Tumbleweed:squid-3.5.22-1.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7141.html CVE-2014-7141 https://bugzilla.suse.com/1040640 SUSE Bug 1040640 https://bugzilla.suse.com/891268 SUSE Bug 891268 https://bugzilla.suse.com/895773 SUSE Bug 895773 The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size. CVE-2014-7142 openSUSE Tumbleweed:squid-3.5.22-1.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7142.html CVE-2014-7142 https://bugzilla.suse.com/895773 SUSE Bug 895773 https://bugzilla.suse.com/973782 SUSE Bug 973782 Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request. CVE-2015-5400 openSUSE Tumbleweed:squid-3.5.22-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5400.html CVE-2015-5400 https://bugzilla.suse.com/938715 SUSE Bug 938715 https://bugzilla.suse.com/967073 SUSE Bug 967073