Summary: | <net-proxy/squid-3.5.16-r1: Multiple vulnerabilities (CVE-2016-{3947,3948}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hank Leininger <hlein> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eras, hydrapolic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.squid-cache.org/Advisories/SQUID-2016_4.txt | ||
Whiteboard: | C3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 580656 | ||
Bug Blocks: |
Description
Hank Leininger
2016-04-04 00:52:32 UTC
@maintainer, please bump to 3.5.16. 4.x beta series is not in the tree yet. Package bumped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4ec113c267cf356f1caf54e085a5d54fab6e9cf @arches, please stabilize: =net-proxy/squid-3.5.16 The mailing list has some interesting thread regarding 3.5.16: http://lists.squid-cache.org/pipermail/squid-users/2016-April/009985.html Maybe we should take that into account. Yes. The upstream patch http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14022.patch is also needed to resolve that minor regression in these CVE patches. Arches, please stabilize =net-proxy/squid-3.5.16-r1 Target Keywords = alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd amd64 stable This is confusing. (In reply to Jeroen Roovers from comment #7) > This is confusing. 3.5.16 came out as a security release, but it had a known and reported bug, so we needed to release 3.5.16-r1. While doing that, 3.5.17 as another security release came out. (In reply to Tomáš Mózes from comment #8) > (In reply to Jeroen Roovers from comment #7) > > This is confusing. > > 3.5.16 came out as a security release, but it had a known and reported bug, > so we needed to release 3.5.16-r1. While doing that, 3.5.17 as another > security release came out. That's nice, but why is this stable request still out when a newer version is also going stable, is what I was trying to suggest. Yeah, I see your point. This stabilization should be stopped because this release is vulnerable and will be dropped anyway. CVE-2016-3948 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3948): Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers. CVE-2016-3947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3947): Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet. Added to existing GLSA. This issue was resolved and addressed in GLSA 201607-01 at https://security.gentoo.org/glsa/201607-01 by GLSA coordinator Aaron Bauman (b-man). |