Subject: [ASA-201907-5] squid: arbitrary code execution Arch Linux Security Advisory ASA-201907-5 ========================================= Severity: Critical Date : 2019-07-17 CVE-ID : CVE-2019-12527 Package : squid Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1004 Summary ======= The package squid before version 4.8-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 4.8-1. # pacman -Syu "squid>=4.8-1" The problem has been fixed upstream in version 4.8. Workaround ========== None. Description =========== Due to incorrect buffer management Squid versions prior to 4.8 are vulnerable to a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials. Impact ====== A remote attacker can execute arbitrary code via crafted HTTP requests. References ========== http://www.squid-cache.org/Advisories/SQUID-2019_5.txt http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch https://security.archlinux.org/CVE-2019-12527