Headline
CVE-2019-12527: Squid 4 changes
An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn’t greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
These changesets represents the changes since the last release and is included in the current nightly Squid 4 snapshots and is scheduled to be included in the next Squid 4 release.
Note to package maintainers: Patches to the current Squid 4 release represents work in progress and has not yet undergone full quality checks. The developer team reserves the right to update these at any time to fix problems found during quality checking. For this reason (and to reduce confusion about package versions) package maintainers are discouraged from using these patches, and only use this page to backport changes from published releases to earlier releases if your QA policy does not allow upgrading your package to the current Squid 4 release. If there is any questions regarding this policy please contact [email protected].