Bug 1817121 (CVE-2019-18860)
| Summary: | CVE-2019-18860 squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anon.amish, code, jonathansteffan, luhliari, uwe.knop |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Squid 4.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in squid. Squid, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:24:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1820663, 1820664 | ||
| Bug Blocks: | 1817125 | ||
|
Description
Michael Kaplan
2020-03-25 15:46:18 UTC
External References: https://github.com/squid-cache/squid/pull/504 Mitigation: The cachemgr.cgi script is not used by default. If you've set this up manually and are worried about this issue, remove it from your server. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18860 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743 |