Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 578970 (CVE-2016-3947, CVE-2016-3948) - <net-proxy/squid-3.5.16-r1: Multiple vulnerabilities (CVE-2016-{3947,3948})
Summary: <net-proxy/squid-3.5.16-r1: Multiple vulnerabilities (CVE-2016-{3947,3948})
Status: RESOLVED FIXED
Alias: CVE-2016-3947, CVE-2016-3948
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Advisories...
Whiteboard: C3 [glsa cve]
Keywords:
Depends on: 580656
Blocks:
  Show dependency tree
 
Reported: 2016-04-04 00:52 UTC by Hank Leininger
Modified: 2016-07-09 01:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2016-04-04 00:52:32 UTC
SQUID-2016_4 below; see also SQUID-2016_3.


Squid Proxy Cache Security Update Advisory SQUID-2016:4
__________________________________________________________________

Advisory ID:        SQUID-2016:4
Date:               April 02, 2016
Summary:            Denial of Service issue
                    in HTTP Response processing.
Affected versions:  Squid 3.x -> 3.5.15
                    Squid 4.x -> 4.0.7
Fixed in version:   Squid 4.0.8, 3.5.16
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3948
__________________________________________________________________

Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to a denial
 of service attack when processing HTTP responses.

__________________________________________________________________

Severity:

 This problem allows a malicious client script and remote server
 delivering certain unusual HTTP response syntax to trigger a
 denial of service for all clients accessing the Squid service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 3.5.16 and 4.0.8.

 In addition, a patch addressing this problem for the stable
 release can be found in our patch archives:

Squid 3.5:
 http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All unpatched Squid-3.0 versions are vulnerable.

 All unpatched Squid-3.1 versions are vulnerable.

 All unpatched Squid-3.2 versions are vulnerable.

 All unpatched Squid-3.3 versions are vulnerable.

 All unpatched Squid-3.4 versions are vulnerable.

 All unpatched Squid-3.5 up to and including Squid-3.5.15 are
 vulnerable.

 All unpatched Squid-4.0 up to and including 4.0.7 are vulnerable.

__________________________________________________________________

Workaround:

 There are no good workarounds known for this vulnerability.

 The following squid.conf settings can protect Squid-3.5 (only):

   acl Vary rep_header Vary .
   store_miss deny Vary

Or,

 The following squid.conf setting can protect Squid-3.0 or later:

   cache deny all

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was reported by Santiago R. Rincon of Debian.
 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2016-03-20 11:25:04 UTC Initial Report
 2016-04-01 06:15:31 UTC Patch Released
__________________________________________________________________
END
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-04-04 04:29:00 UTC
@maintainer, please bump to 3.5.16.  4.x beta series is not in the tree yet.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-04-04 08:52:06 UTC
Package bumped:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4ec113c267cf356f1caf54e085a5d54fab6e9cf

@arches, please stabilize:

=net-proxy/squid-3.5.16
Comment 3 Tomáš Mózes 2016-04-04 15:17:26 UTC
The mailing list has some interesting thread regarding 3.5.16:
http://lists.squid-cache.org/pipermail/squid-users/2016-April/009985.html

Maybe we should take that into account.
Comment 4 Amos Jeffries 2016-04-12 07:31:02 UTC
Yes. The upstream patch http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14022.patch is also needed to resolve that minor regression in these CVE patches.
Comment 5 Eray Aslan gentoo-dev 2016-04-18 15:46:23 UTC
Arches, please stabilize
=net-proxy/squid-3.5.16-r1

Target Keywords = alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-20 08:56:04 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-21 19:34:38 UTC
This is confusing.
Comment 8 Tomáš Mózes 2016-04-22 04:46:02 UTC
(In reply to Jeroen Roovers from comment #7)
> This is confusing.

3.5.16 came out as a security release, but it had a known and reported bug, so we needed to release 3.5.16-r1. While doing that, 3.5.17 as another security release came out.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-23 10:01:32 UTC
(In reply to Tomáš Mózes from comment #8)
> (In reply to Jeroen Roovers from comment #7)
> > This is confusing.
> 
> 3.5.16 came out as a security release, but it had a known and reported bug,
> so we needed to release 3.5.16-r1. While doing that, 3.5.17 as another
> security release came out.

That's nice, but why is this stable request still out when a newer version is also going stable, is what I was trying to suggest.
Comment 10 Tomáš Mózes 2016-04-23 18:55:24 UTC
Yeah, I see your point. This stabilization should be stopped because this release is vulnerable and will be dropped anyway.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-06-20 10:01:54 UTC
CVE-2016-3948 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3948):
  Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds
  checking, which allows remote attackers to cause a denial of service via a
  crafted HTTP response, related to Vary headers.

CVE-2016-3947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3947):
  Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in
  the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote
  servers to cause a denial of service (performance degradation or transition
  failures) or write sensitive information to log files via an ICMPv6 packet.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-06-20 10:09:08 UTC
Added to existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 01:52:12 UTC
This issue was resolved and addressed in
 GLSA 201607-01 at https://security.gentoo.org/glsa/201607-01
by GLSA coordinator Aaron Bauman (b-man).