Summary: | <net-proxy/squid-3.5.17: multiple buffer overflows + information disclosure (CVE-2016-{4051,4052,4053,4054}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eras |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 582814 | ||
Bug Blocks: | 578970 |
Description
Hanno Böck
2016-04-20 15:59:58 UTC
Arches, please test and mark stable =net-proxy/squid-3.5.17 Target Keywords = alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd Stable for HPPA PPC64. amd64 stable arm stable Stable on alpha. Stabilization continued on security bug #582814 CVE-2016-4054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4054): Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses. CVE-2016-4053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4053): Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization. CVE-2016-4052 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4052): Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses. CVE-2016-4051 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4051): Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data. Added to existing GLSA. This issue was resolved and addressed in GLSA 201607-01 at https://security.gentoo.org/glsa/201607-01 by GLSA coordinator Aaron Bauman (b-man). |