squid3 regression

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS

Summary

USN-4446-1 introduced a regression in Squid.

Software Description

* squid3 - Web proxy cache server

Details

USN-4446-1 fixed vulnerabilities in Squid. The update introduced a
regression when using Squid with the icap or ecap protocols. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Jeriko One discovered that Squid incorrectly handled caching
certain requests. A remote attacker could possibly use this issue
to perform cache-injection attacks or gain access to reverse proxy
features such as ESI. (CVE-2019-12520)

Jeriko One and Kristoffer Danielsson discovered that Squid
incorrectly handled certain URN requests. A remote attacker could
possibly use this issue to bypass access checks. (CVE-2019-12523)

Jeriko One discovered that Squid incorrectly handled URL decoding.
A remote attacker could possibly use this issue to bypass certain
rule checks. (CVE-2019-12524)

Jeriko One and Kristoffer Danielsson discovered that Squid
incorrectly handled input validation. A remote attacker could use
this issue to cause Squid to crash, resulting in a denial of
service. (CVE-2019-18676)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 18.04 LTS
squid - 3.5.27-1ubuntu1.8

Ubuntu 16.04 LTS
squid - 3.5.12-1ubuntu7.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary
changes.

References

* USN-4446-1
* LP: 1890265

--- Mystic BBS v1.12 A46 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)