Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201604-14 ========================================= Severity: Critical Date : 2016-04-23 CVE-ID : CVE-2016-4051 CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 Package : squid Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package squid before version 3.5.17-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service. Resolution ========= Upgrade to 3.5.17-1. # pacman -Syu "squid>=3.5.17-1" The problems have been fixed upstream in version 3.5.17. Workaround ========= None. Description ========== - CVE-2016-4051 (denial of service) Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid. - CVE-2016-4052 (denial of service) Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. - CVE-2016-4053 (information disclosure) Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. - CVE-2016-4054 (arbitrary code execution) Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses. Impact ===== A remote attacker is able to execute arbitrary code, disclose sensitive information or perform a denial of service attack via multiple vulnerabilities. References ========= http://www.squid-cache.org/Advisories/SQUID-2016_5.txt http://www.squid-cache.org/Advisories/SQUID-2016_6.txt https://access.redhat.com/security/cve/CVE-2016-4051 https://access.redhat.com/security/cve/CVE-2016-4052 https://access.redhat.com/security/cve/CVE-2016-4053 https://access.redhat.com/security/cve/CVE-2016-4054