{"id":"CLSA-2026-1777541147","summary":"squid34: Fix of 12 CVEs","details":"- CVE-2019-12525: fix heap buffer over-read in Digest auth parameter parsing\n- CVE-2018-1000027: fix NULL pointer dereference in X-Forwarded-For logging for internal transactions\n- CVE-2018-19131: escape certificate field injection via %D in ERR_SECURE_CONNECT_FAIL page\n- CVE-2018-19132: fix memory leak when parsing denied or malformed SNMP packets\n- CVE-2019-13345: escape user_name and pub_auth parameters in cachemgr.cgi to prevent reflected XSS\n- CVE-2019-18860: validate hostname parameter in cachemgr.cgi to prevent reflected XSS\n- CVE-2019-18677: prevent hostname truncation when append_domain expands origin-relative domains\n- CVE-2019-18679: remove in-memory pointer from Digest nonce hash input (ASLR bypass)\n- CVE-2019-18678: reject HTTP requests with BWS between header field-name and colon (RFC 7230 3.2.4)\n- CVE-2019-12523: validate URN NID per RFC 8141 to prevent SSRF via crafted urn: requests\n- CVE-2019-12528: track FTP listing token positions to avoid strstr-based over-read into adjacent heap\n- CVE-2019-12529: replace uudecode with base64_decode in Basic auth to bound input-buffer reads","modified":"2026-05-27T11:35:11.535660971Z","published":"2026-05-02T01:02:36Z","upstream":["CVE-2018-1000027","CVE-2018-19131","CVE-2018-19132","CVE-2019-12523","CVE-2019-12525","CVE-2019-12528","CVE-2019-12529","CVE-2019-13345","CVE-2019-18677","CVE-2019-18678","CVE-2019-18679","CVE-2019-18860"],"references":[{"type":"ADVISORY","url":"https://errata.tuxcare.com/els_os/centos6els/CLSA-2026-1777541147.html"}],"affected":[{"package":{"name":"squid34","ecosystem":"TuxCare:CentOS:6","purl":"pkg:rpm/tuxcare/squid34?distro=centos-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7:3.4.14-16.el6.tuxcare.els13"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/centos6els/CLSA-2026-1777541147.json"}}],"schema_version":"1.7.5"}