Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582814 (CVE-2016-4554) - <net-proxy/squid-3.5.19 - interception proxy hangs (CVE-2016-{4553,4554,4555,4556})
Summary: <net-proxy/squid-3.5.19 - interception proxy hangs (CVE-2016-{4553,4554,4555,...
Alias: CVE-2016-4554
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on:
Blocks: 575542 580656
  Show dependency tree
Reported: 2016-05-12 07:47 UTC by Tomáš Mózes
Modified: 2016-07-14 10:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2016-05-12 07:47:36 UTC
100% cpu usage when using intercept mode with 3.5.18.
Comment 1 Tomáš Mózes 2016-05-23 09:30:37 UTC
Ebuild for 3.5.17 compiles and starts a working squid instance version 3.5.19 (with default use flags).
Comment 2 Eray Aslan gentoo-dev 2016-05-24 07:02:48 UTC
Arches, please test and mark stable

Thank you.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-24 08:50:29 UTC
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-25 05:12:47 UTC
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2016-05-25 09:48:58 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-05-25 11:25:36 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-06-04 05:06:11 UTC
arm stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-06-20 10:05:57 UTC
CVE-2016-4556 (
  Double free vulnerability in in Squid 3.x before 3.5.18 and 4.x
  before 4.0.10 allows remote servers to cause a denial of service (crash) via
  a crafted Edge Side Includes (ESI) response.

CVE-2016-4555 ( in Squid 3.x before 3.5.18 and 4.x before 4.0.10
  allows remote servers to cause a denial of service (crash) via crafted Edge
  Side Includes (ESI) responses.

CVE-2016-4554 ( in Squid before 3.5.18 allows remote attackers to bypass
  intended same-origin restrictions and possibly conduct cache-poisoning
  attacks via a crafted HTTP Host header, aka a "header smuggling" issue.

CVE-2016-4553 ( in Squid before 3.5.18 and 4.x before 4.0.10 does not
  properly ignore the Host header when absolute-URI is provided, which allows
  remote attackers to conduct cache-poisoning attacks via an HTTP request.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-06-20 10:08:00 UTC
Added to existing GLSA.
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 07:57:58 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 10:06:30 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-08 12:05:52 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 01:52:30 UTC
This issue was resolved and addressed in
 GLSA 201607-01 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-07-09 01:53:35 UTC
Re-opening for clean up.

@maintainer, please clean the vulnerable versions.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-07-14 10:51:52 UTC

commit 7d76da31430622f08ab2d3e2a77ee7f02ac086a1
Author: Eray Aslan <>
Date:   Tue Jul 12 15:50:39 2016 +0300

    net-proxy/squid: remove old
    Package-Manager: portage-2.3.0

@eras, please let us know in the future once you clean the vulnerable versions so we may proceed.  Thank you.