squid 3.5.16 and below (and also 4.0.8 and below) is affected by multiple security vulnerabilities, see oss-security: http://www.openwall.com/lists/oss-security/2016/04/20/6 Please bump to 3.5.17. Seems for 4.x there is no fixed upstream release yet.
Arches, please test and mark stable =net-proxy/squid-3.5.17 Target Keywords = alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd
Stable for HPPA PPC64.
amd64 stable
arm stable
Stable on alpha.
Stabilization continued on security bug #582814
CVE-2016-4054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4054): Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses. CVE-2016-4053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4053): Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization. CVE-2016-4052 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4052): Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses. CVE-2016-4051 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4051): Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201607-01 at https://security.gentoo.org/glsa/201607-01 by GLSA coordinator Aaron Bauman (b-man).