Debian: DSA-3625-1: squid3 security update
Debian: DSA-3625-1: squid3 security update
Several security issues have been discovered in the Squid caching proxy. CVE-2016-4051:
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3625-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Sebastien Delafond July 22, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid3 CVE ID : CVE-2016-4051 CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556 Debian Bug : 823968 Several security issues have been discovered in the Squid caching proxy. CVE-2016-4051: CESG and Yuriy M. Kaminskiy discovered that Squid cachemgr.cgi was vulnerable to a buffer overflow when processing remotely supplied inputs relayed through Squid. CVE-2016-4052: CESG discovered that a buffer overflow made Squid vulnerable to a Denial of Service (DoS) attack when processing ESI responses. CVE-2016-4053: CESG found that Squid was vulnerable to public information disclosure of the server stack layout when processing ESI responses. CVE-2016-4054: CESG discovered that Squid was vulnerable to remote code execution when processing ESI responses. CVE-2016-4554: Jianjun Chen found that Squid was vulnerable to a header smuggling attack that could lead to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers. CVE-2016-4555, CVE-2016-4556: "bfek-18" and "@vftable" found that Squid was vulnerable to a Denial of Service (DoS) attack when processing ESI responses, due to incorrect pointer handling and reference counting. For the stable distribution (jessie), these problems have been fixed in version 3.4.8-6+deb8u3. For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 3.5.19-1. We recommend that you upgrade your squid3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.