diff --git a/SOURCES/squid-3.5.20-CVE-2018-1000024.patch b/SOURCES/squid-3.5.20-CVE-2018-1000024.patch
new file mode 100644
index 0000000..9392219
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2018-1000024.patch
@@ -0,0 +1,28 @@
+commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5)
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date: 2018-01-19 13:54:14 +1300
+
+ ESI: make sure endofName never exceeds tagEnd (#130)
+
+diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc
+index d86d2d3..db634d9 100644
+--- a/src/esi/CustomParser.cc
++++ b/src/esi/CustomParser.cc
+@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool
+
+ char * endofName = strpbrk(const_cast<char *>(tag), w_space);
+
+- if (endofName > tagEnd)
++ if (!endofName || endofName > tagEnd)
+ endofName = const_cast<char *>(tagEnd);
+
+ *endofName = '\0';
+@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool
+
+ char * endofName = strpbrk(const_cast<char *>(tag), w_space);
+
+- if (endofName > tagEnd)
++ if (!endofName || endofName > tagEnd)
+ endofName = const_cast<char *>(tagEnd);
+
+ *endofName = '\0';
diff --git a/SOURCES/squid-3.5.20-CVE-2018-1000027.patch b/SOURCES/squid-3.5.20-CVE-2018-1000027.patch
new file mode 100644
index 0000000..9ecd8a5
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2018-1000027.patch
@@ -0,0 +1,23 @@
+commit 8232b83d3fa47a1399f155cb829db829369fbae9 (refs/remotes/origin/v3.5)
+Author: squidadm <squidadm@users.noreply.github.com>
+Date: 2018-01-21 08:07:08 +1300
+
+ Fix indirect IP logging for transactions without a client connection (#129) (#136)
+
+diff --git a/src/client_side_request.cc b/src/client_side_request.cc
+index be124f3..203f89d 100644
+--- a/src/client_side_request.cc
++++ b/src/client_side_request.cc
+@@ -488,9 +488,9 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
+ * Ensure that the access log shows the indirect client
+ * instead of the direct client.
+ */
+- ConnStateData *conn = http->getConn();
+- conn->log_addr = request->indirect_client_addr;
+- http->al->cache.caddr = conn->log_addr;
++ http->al->cache.caddr = request->indirect_client_addr;
++ if (ConnStateData *conn = http->getConn())
++ conn->log_addr = request->indirect_client_addr;
+ }
+ request->x_forwarded_for_iterator.clean();
+ request->flags.done_follow_x_forwarded_for = true;
diff --git a/SOURCES/squid-3.5.20-CVE-2019-12525.patch b/SOURCES/squid-3.5.20-CVE-2019-12525.patch
new file mode 100644
index 0000000..6bfe4e3
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2019-12525.patch
@@ -0,0 +1,30 @@
+commit ec0d0f39cf28da14eead0ba5e777e95855bc2f67
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date: 2019-06-08 21:09:23 +0000
+
+ Fix Digest auth parameter parsing (#415)
+
+ Only remove quoting if the domain=, uri= or qop= parameter
+ value is surrounded by double-quotes.
+
+diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
+index 674dd93..d2cd2e9 100644
+--- a/src/auth/digest/Config.cc
++++ b/src/auth/digest/Config.cc
+@@ -781,14 +781,14 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
+ if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) {
+ // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"'
+ // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain
+- if (*p == '"' && *(p + vlen -1) == '"') {
++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
+ value.limitInit(p+1, vlen-2);
+ }
+ } else if (keyName == SBuf("qop",3)) {
+ // qop is more special.
+ // On request this must not be quoted-string de-quoted. But is several values wrapped in '"'
+ // On response this is a single un-quoted token.
+- if (*p == '"' && *(p + vlen -1) == '"') {
++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
+ value.limitInit(p+1, vlen-2);
+ } else {
+ value.limitInit(p, vlen);
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index b06625d..bb327c6 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
Name: squid
Version: 3.5.20
-Release: 14%{?dist}
+Release: 16%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -63,6 +63,10 @@ Patch218: squid-3.5.20-cache-siblings-gw.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1727744
Patch500: squid-3.5.20-CVE-2019-13345.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1582301
+Patch501: squid-3.5.20-CVE-2018-1000024.patch
+Patch502: squid-3.5.20-CVE-2018-1000027.patch
+Patch503: squid-3.5.20-CVE-2019-12525.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: bash >= 2.0
@@ -151,6 +155,9 @@ migration and script which prepares squid for downgrade operation.
# security fixes
%patch500 -p1 -b .CVE-2019-13345
+%patch501 -p1 -b .CVE-2018-1000024
+%patch502 -p1 -b .CVE-2018-1000027
+%patch503 -p1 -b .CVE-2019-12525
# https://bugzilla.redhat.com/show_bug.cgi?id=1471140
# Patch in the vendor documentation and used different location for documentation
@@ -380,7 +387,11 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog
-* Thu Jul 25 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:3.5.20-14
+* Fri Mar 27 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:3.5.20-16
+- Resolves: #1738582 - CVE-2019-12525 squid: parsing of header
+ Proxy-Authentication leads to memory corruption
+
+* Thu Jul 25 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:3.5.20-15
- Resolves: #1690551 - Squid cache_peer DNS lookup failed when not all lower
case
- Resolves: #1680022 - squid can't display download/upload packet size for HTTPS
@@ -388,7 +399,8 @@ fi
- Resolves: #1717430 - Excessive memory usage when running out of descriptors
- Resolves: #1676420 - Cache siblings return wrongly cached gateway timeouts
- Resolves: #1729435 - CVE-2019-13345 squid: XSS via user_name or auth parameter
- in cachemgr.cgi
+ in cachemgr.cgi
+- Resolves: #1582301 - CVE-2018-1000024 CVE-2018-1000027 squid: various flaws
* Thu Dec 06 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-13
- Resolves: #1620546 - migration of upstream squid