Bug 40834 – squid3: Denial of service (4.1)

Bug 40834 - squid3: Denial of service (4.1)


Summary:	squid3: Denial of service (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P4 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Arvid Requate
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:	42563 43408
	Show dependency tree / graph

Reported:	2016-03-04 09:24 CET by Arvid Requate
Modified:	2017-01-24 15:41 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-03-04 09:24:23 CET

The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h (CVE-2016-2570)

Comment 1 Arvid Requate

2016-03-21 13:01:53 CET

Upstream Debian package version 3.1.20-2.2+deb7u4 fixes this issue:

* http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. (CVE-2016-2571)

Comment 2 Arvid Requate

2016-05-18 14:19:02 CEST

Upstream Debian package version 3.1.20-2.2+deb7u5 fixes these issues:

* CVE-2016-4051: Buffer overflow in cachemgr.cgi.
* CVE-2016-4052: Multiple stack-based buffer overflows by wrongly
  handling Edge Side Includes (ESI) responses.
* CVE-2016-4053: Public information disclosure of the server stack
  layout when processing ESI responses.
* CVE-2016-4054: Remote code execution when processing ESI responses.
* CVE-2016-4554: Header Smuggling issue in HTTP Request processing.
* CVE-2016-4555 and CVE-2016-4556: Denial of Service when processing

Comment 3 Arvid Requate

2016-11-10 21:21:10 CET

Advisory: squid3.yaml

Comment 4 Daniel Tröder

2016-11-28 11:10:15 CET

OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall squid3
OK: automatic tests: ucs-test -E dangerous -s proxy
OK: advisory

Comment 5 Janek Walkenhorst

2016-12-01 11:57:24 CET

<http://errata.software-univention.de/ucs/4.1/346.html>