File _patchinfo of Package patchinfo.14830

<patchinfo incident="14830">
  <issue tracker="cve" id="2019-18860"/>
  <issue tracker="cve" id="2019-12519"/>
  <issue tracker="cve" id="2019-12521"/>
  <issue tracker="cve" id="2020-8517"/>
  <issue tracker="cve" id="2019-12528"/>
  <issue tracker="cve" id="2020-11945"/>
  <issue tracker="bnc" id="1162691">VUL-0: CVE-2020-8517: squid: Buffer Overflow issue in ext_lm_group_acl helper  (SQUID-2020:3)</issue>
  <issue tracker="bnc" id="1167373">VUL-1: CVE-2019-18860: squid: when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.</issue>
  <issue tracker="bnc" id="1170313">VUL-0: CVE-2020-11945: squid: integer overflow bug allows credential replay and remote code execution attacks against HTTP Digest Authentication tokens</issue>
  <issue tracker="bnc" id="1162689">VUL-0: CVE-2019-12528: squid: information Disclosure issue in FTP Gateway (SQUID-2020:2)</issue>
  <issue tracker="bnc" id="1169659">VUL-0: CVE-2019-12519,CVE-2019-12521: squid: stack buffer overflow when handling the tag esi:when</issue>
  <packager>adamm</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for squid</summary>
  <description>This update for squid to version 4.11 fixes the following issues:

- CVE-2020-11945: Fixed a potential remote code execution vulnerability when using
  HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12519, CVE-2019-12521: Fixed incorrect buffer handling that can result 
  in cache poisoning, remote execution, and denial of service attacks when
  processing ESI responses (bsc#1169659).
- CVE-2020-8517: Fixed a possible denial of service caused by incorrect buffer
  management ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
- CVE-2019-12528: Fixed possible information disclosure when translating
  FTP server listings into HTTP responses (bsc#1162689).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
</description>
</patchinfo>