vulnerability
Oracle Linux: CVE-2019-12519: ELSA-2020-2040: squid security update (IMPORTANT) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:H/Au:N/C:C/I:C/A:C) | 2020-04-24 | 2022-10-05 | 2025-01-07 |
Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
2020-04-24
Added
2022-10-05
Modified
2025-01-07
Description
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.
A flaw was found in Squid through version 4.7. When handling the tag esi:when, when ESI is enabled, Squid calls the ESIExpression::Evaluate function which uses a fixed stack buffer to hold the expression. While processing the expression, there is no check to ensure that the stack won't overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in Squid through version 4.7. When handling the tag esi:when, when ESI is enabled, Squid calls the ESIExpression::Evaluate function which uses a fixed stack buffer to hold the expression. While processing the expression, there is no check to ensure that the stack won't overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Solution(s)
oracle-linux-upgrade-libecaporacle-linux-upgrade-libecap-develoracle-linux-upgrade-squidoracle-linux-upgrade-squid-migration-scriptoracle-linux-upgrade-squid-sysvinit
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.