Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Title:       EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk Vulnerabilities in Squid CVE-2019-12526,  
             CVE-2019-12523 and others [EGI-SVG-CVE-2019-12526]  

Date:        2019-11-13
Updated:     2019-12-02  Updated Version of Frontier Squid available in EGI UMD.

Affected software and risk

HIGH risk vulnerabilities concerning Squid.

Package : Squid
CVE ID  : CVE-2019-12526, CVE-2019-12523

Several security issues have been found in Squid which have been announced by the squid team and fixed in release  
4.9 [R 1] 

EGI SVG considers a couple of these vulnerabilities to be 'HIGH' risk with the potential of being elevated to 
'CRITICAL' in combination with others.

The ones we consider most serious are [R 2] and [R 3]. 

Many sites in EGI will be using frontier-squid (e.g. from the UMD) instead of the squid version directly available from 
RHEL / CentOS.  

**UPDATE 2019-12-02**

The version of frontier-squid with these vulnerabilities fixed is now available in the EGI UMD.

We also remind sites of setting the Squid host firewall rules and the Squid network ACLs as tightly as possible.

Actions required/recommended

**UPDATE 2019-12-02**

Sites are recommended to install a non-vulnerable version of Squid, urgently if they have not yet taken mitigating 
action after the previous advisory.
Component installation information

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD 4 should see:

The fixed version of Squid is part of the UMD-4.9.0 release.

The fixed version is available from the Squid team [R 1] 

frontier-squid-4.9-2.1 has been released in the CERN distribution [R 4] 

Other Mitigating action

For those using squid directly from Red Hat or CentOS, note that Red Hat is not planning to apply all of the patches.  
They are recommending a permanent mitigating action for CVE-2019-12526 [R 5] of the following configuration lines:

	acl URN proto URN
	http_access deny URN

OSG Security team information

Multiple vulnerabilities have been publicly announced affecting all current versions of frontier-squid-3.* and 
frontier-squid-4.*, including one that potentially permits remote code execution and another that permits bypassing 
access controls. An upgraded package is being prepared, but meanwhile a workaround is available to block the remote code 
execution vulnerability. All sites are encouraged to apply the workaround, especially those that are not blocked from 
the internet by a firewall, and to watch for a further announcement on the availability of a new frontier-squid version.


All frontier-squid-3.* and frontier-squid-4.* versions through frontier-squid-4.8-2.1. 
frontier-squid-2.* versions don't have these vulnerabilities but they are deprecated.


Vulnerability SQUID-2019:7 [1] describes a potential heap overflow in the URN (Universal Resource Name) handling code 
that can potentially lead to remote code execution or crash. This feature is not used by OSG clients but is enabled by 
default. A workaround to disable it is below.

Vulnerability SQUID-2019:8 [2] describes several issues with URI (Universal Resource Identifier) processing that permit 
remote clients to bypass access controls or deny service to other clients. It discusses a workaround for a third issue 
enabling access to manager services, but that workaround is already in place by default.

Three other vulnerabilities were announced at the same time but they are not applicable to the OSG.


Add these lines to /etc/squid/ and restart the frontier-squid service, especially if your squid is 
accessible to the internet:

insertline("# INSERT YOUR OWN RULE", "acl URN proto URN")

insertline("# INSERT YOUR OWN RULE", "http_access deny URN")

Watch for a followup announcement of the availability of frontier-squid-4.9.



Please contact the OSG security team at if you have any questions or concerns. 

OSG Security Team


** WHITE information - Unlimited distribution 
  - see for distribution restrictions **   


Minor updates may be made without re-distribution to the sites


Comments or questions should be sent to svg-rat  at

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 6]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


[R 1]

[R 2]

[R 3]

[R 4]

[R 5]

[R 6]


SVG was alerted to this vulnerability by Dave Dykstra from the OSG security team.

Information provided by Dave Dykstra and Mike Stanfield and the OSG security team. 

Yyyy-mm-dd  [EGI-SVG-2019-CVE-2019-12526] 

2019-11-08 SVG alerted to this issue by Dave Dykstra after announcement by Squid team
2019-11-11 Investigation of vulnerability and relevance to EGI carried out 
2019-11-12 EGI SVG Risk Assessment completed
2019-11-13 Advisory sent to sites
2019-12-02 Advisory updated as fixed version is in UMD 4.9.0 and set to [WHITE]


This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6]  
in the context of how thesoftware is used in the EGI infrastructure. 
It is the opinion of the group, we do not guarantee it to be correct. 
The risk may also be higher or lower in other deployments depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI Software Vulnerability Group

Also in this case if re-using the OSG information please credit OSG. 

Note that the SVG issue handling procedure is currently under review, to take account of the increasing 
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,