ArchLinux: 201604-14: squid: multiple issues
Summary
- CVE-2016-4051 (denial of service)
Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable
to a buffer overflow when processing remotely supplied inputs relayed to
it from Squid.
- CVE-2016-4052 (denial of service)
Due to buffer overflow issues Squid is vulnerable to a denial of service
attack when processing ESI responses.
- CVE-2016-4053 (information disclosure)
Due to incorrect input validation Squid is vulnerable to public
information disclosure of the server stack layout when processing
ESI responses.
- CVE-2016-4054 (arbitrary code execution)
Due to incorrect input validation and buffer overflow Squid is
vulnerable to remote code execution when processing ESI
responses.
Resolution
Upgrade to 3.5.17-1.
# pacman -Syu "squid>=3.5.17-1"
The problems have been fixed upstream in version 3.5.17.
References
http://www.squid-cache.org/Advisories/SQUID-2016_5.txt http://www.squid-cache.org/Advisories/SQUID-2016_6.txt https://access.redhat.com/security/cve/CVE-2016-4051 https://access.redhat.com/security/cve/CVE-2016-4052 https://access.redhat.com/security/cve/CVE-2016-4053 https://access.redhat.com/security/cve/CVE-2016-4054
Workaround
None.