Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 578970 (CVE-2016-3947, CVE-2016-3948) - <net-proxy/squid-3.5.16-r1: Multiple vulnerabilities (CVE-2016-{3947,3948})
Summary: <net-proxy/squid-3.5.16-r1: Multiple vulnerabilities (CVE-2016-{3947,3948})
Alias: CVE-2016-3947, CVE-2016-3948
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: C3 [glsa cve]
Depends on: 580656
  Show dependency tree
Reported: 2016-04-04 00:52 UTC by Hank Leininger
Modified: 2016-07-09 01:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2016-04-04 00:52:32 UTC
SQUID-2016_4 below; see also SQUID-2016_3.

Squid Proxy Cache Security Update Advisory SQUID-2016:4

Advisory ID:        SQUID-2016:4
Date:               April 02, 2016
Summary:            Denial of Service issue
                    in HTTP Response processing.
Affected versions:  Squid 3.x -> 3.5.15
                    Squid 4.x -> 4.0.7
Fixed in version:   Squid 4.0.8, 3.5.16

Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to a denial
 of service attack when processing HTTP responses.



 This problem allows a malicious client script and remote server
 delivering certain unusual HTTP response syntax to trigger a
 denial of service for all clients accessing the Squid service.


Updated Packages:

 This bug is fixed by Squid version 3.5.16 and 4.0.8.

 In addition, a patch addressing this problem for the stable
 release can be found in our patch archives:

Squid 3.5:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

 All unpatched Squid-3.0 versions are vulnerable.

 All unpatched Squid-3.1 versions are vulnerable.

 All unpatched Squid-3.2 versions are vulnerable.

 All unpatched Squid-3.3 versions are vulnerable.

 All unpatched Squid-3.4 versions are vulnerable.

 All unpatched Squid-3.5 up to and including Squid-3.5.15 are

 All unpatched Squid-4.0 up to and including 4.0.7 are vulnerable.



 There are no good workarounds known for this vulnerability.

 The following squid.conf settings can protect Squid-3.5 (only):

   acl Vary rep_header Vary .
   store_miss deny Vary


 The following squid.conf setting can protect Squid-3.0 or later:

   cache deny all


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the mailing list is your
 primary support point. For subscription details see

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.



 This vulnerability was reported by Santiago R. Rincon of Debian.
 Fixed by Amos Jeffries from Treehouse Networks Ltd.


Revision history:

 2016-03-20 11:25:04 UTC Initial Report
 2016-04-01 06:15:31 UTC Patch Released
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-04-04 04:29:00 UTC
@maintainer, please bump to 3.5.16.  4.x beta series is not in the tree yet.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-04-04 08:52:06 UTC
Package bumped:

@arches, please stabilize:

Comment 3 Tomáš Mózes 2016-04-04 15:17:26 UTC
The mailing list has some interesting thread regarding 3.5.16:

Maybe we should take that into account.
Comment 4 Amos Jeffries 2016-04-12 07:31:02 UTC
Yes. The upstream patch is also needed to resolve that minor regression in these CVE patches.
Comment 5 Eray Aslan gentoo-dev 2016-04-18 15:46:23 UTC
Arches, please stabilize

Target Keywords = alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-20 08:56:04 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-21 19:34:38 UTC
This is confusing.
Comment 8 Tomáš Mózes 2016-04-22 04:46:02 UTC
(In reply to Jeroen Roovers from comment #7)
> This is confusing.

3.5.16 came out as a security release, but it had a known and reported bug, so we needed to release 3.5.16-r1. While doing that, 3.5.17 as another security release came out.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-23 10:01:32 UTC
(In reply to Tomáš Mózes from comment #8)
> (In reply to Jeroen Roovers from comment #7)
> > This is confusing.
> 3.5.16 came out as a security release, but it had a known and reported bug,
> so we needed to release 3.5.16-r1. While doing that, 3.5.17 as another
> security release came out.

That's nice, but why is this stable request still out when a newer version is also going stable, is what I was trying to suggest.
Comment 10 Tomáš Mózes 2016-04-23 18:55:24 UTC
Yeah, I see your point. This stabilization should be stopped because this release is vulnerable and will be dropped anyway.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-06-20 10:01:54 UTC
CVE-2016-3948 (
  Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds
  checking, which allows remote attackers to cause a denial of service via a
  crafted HTTP response, related to Vary headers.

CVE-2016-3947 (
  Heap-based buffer overflow in the Icmp6::Recv function in icmp/ in
  the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote
  servers to cause a denial of service (performance degradation or transition
  failures) or write sensitive information to log files via an ICMPv6 packet.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-06-20 10:09:08 UTC
Added to existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 01:52:12 UTC
This issue was resolved and addressed in
 GLSA 201607-01 at
by GLSA coordinator Aaron Bauman (b-man).