Due to incorrect data management Squid is vulnerable to a information disclosure when processing HTTP Digest Authentication. References: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1770361]
Upstream patch: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
External References: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
Mitigation: Remove 'auth_param digest ...' configuration settings from squid.conf.
As per upstream: Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18679
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743