An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes. References: http://www.squid-cache.org/Advisories/SQUID-2020_2.txt
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1798535]
Mitigation: As a workaround, it is possible to disable support for FTP. In order to do so, remove the following line from your squid configuration file: acl Safe_ports 21 Then add the following lines to your squid configuration file: acl FTP proto FTP http_access deny FTP
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4082 https://access.redhat.com/errata/RHSA-2020:4082
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12528
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743
External References: http://www.squid-cache.org/Advisories/SQUID-2020_2.txt
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days