Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare revisions
  • Issues 663
    • Issues 663
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 300
    • Merge requests 300
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpinealpine
  • aportsaports
  • Issues
  • #5212
Closed
Open
Issue created Mar 02, 2016 by Alicha CH@alichaReporter

squid: Multiple Denial of Service issues (CVE-2016-2569, CVE-2016-2570, CVE-2016-2571, CVE-2016-2572)

CVE-2016-2569, CVE-2016-2570: some code paths fail to check bounds in string object

CVE-2016-2571, CVE-2016-2572: wrong error handling for malformed HTTP responses.

Affected versions:

Squid 3.x ->3.5.16 (All unpatched Squid-3.4, 3.5.14 and older versions are vulnerable)

Squid 4.x ->4.0.7 (All unpatched Squid-4.0.6 and older are vulnerable)

Fixed in version:

Squid 3.5.15 and 4.0.7.

References:

http://www.squid-cache.org/Advisories/SQUID-2016\_2.txt
http://seclists.org/oss-sec/2016/q1/442

Patches:

Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch (CVE-2016-2571)
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch (CVE-2016-2569)
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch (CVE-2016-2570)

CVE-2016-2572 apparently only affects squid 4.x

(from redmine: issue id 5212, created on 2016-03-02, closed on 2016-12-27)

  • Relations:
    • child #5213 (closed)
    • child #5214 (closed)
    • child #5215 (closed)
    • child #5216 (closed)
    • child #5217 (closed)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking