Summary: | <net-proxy/squid-3.5.15: Multiple Denial of Service issues in HTTP Response processing. (CVE-2016-{2569,2570,2571,2572}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eras |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.squid-cache.org/Advisories/SQUID-2016_2.txt | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 582814 | ||
Bug Blocks: |
Description
Kristian Fiskerstrand (RETIRED)
2016-02-24 09:47:36 UTC
net-proxy/squid-3.5.15 added to the tree. Arches, please test and mark stable =net-proxy/squid-3.5.15 Target Keywords = alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd Stable for HPPA PPC64. amd64 stable arm stable x86 stable Stable on alpha. ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). CVE-2016-2572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2572): http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. CVE-2016-2571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2571): http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. CVE-2016-2570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2570): The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h. CVE-2016-2569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2569): Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header. This issue was resolved and addressed in GLSA 201607-01 at https://security.gentoo.org/glsa/201607-01 by GLSA coordinator Aaron Bauman (b-man). |