100% cpu usage when using intercept mode with 3.5.18.
Ebuild for 3.5.17 compiles and starts a working squid instance version 3.5.19 (with default use flags).
Arches, please test and mark stable =net-proxy/squid-3.5.19 Thank you.
Stable on alpha.
Stable for HPPA PPC64.
amd64 stable
x86 stable
arm stable
CVE-2016-4556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4556): Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response. CVE-2016-4555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4555): client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses. CVE-2016-4554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4554): mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue. CVE-2016-4553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4553): client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.
Added to existing GLSA.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup.
This issue was resolved and addressed in GLSA 201607-01 at https://security.gentoo.org/glsa/201607-01 by GLSA coordinator Aaron Bauman (b-man).
Re-opening for clean up. @maintainer, please clean the vulnerable versions.
Cleaned: commit 7d76da31430622f08ab2d3e2a77ee7f02ac086a1 Author: Eray Aslan <eras@gentoo.org> Date: Tue Jul 12 15:50:39 2016 +0300 net-proxy/squid: remove old Package-Manager: portage-2.3.0 @eras, please let us know in the future once you clean the vulnerable versions so we may proceed. Thank you.
