[3.4] squid: Multiple Denial of Service issues (CVE-2016-2569, CVE-2016-2570, CVE-2016-2571, CVE-2016-2572)
CVE-2016-2569, CVE-2016-2570: some code paths fail to check bounds in string object
CVE-2016-2571, CVE-2016-2572: wrong error handling for malformed HTTP responses.
Affected versions:
Squid 3.x ->3.5.16 (All unpatched Squid-3.4, 3.5.14 and older versions are vulnerable)
Squid 4.x ->4.0.7 (All unpatched Squid-4.0.6 and older are vulnerable)
Fixed in version:
Squid 3.5.15 and 4.0.7.
References:
http://www.squid-cache.org/Advisories/SQUID-2016\_2.txt
http://seclists.org/oss-sec/2016/q1/442
Patches:
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
(CVE-2016-2571)
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch
(CVE-2016-2569)
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch
(CVE-2016-2570)
CVE-2016-2572 apparently only affects squid 4.x
(from redmine: issue id 5213, created on 2016-03-02, closed on 2016-12-27)
- Relations:
- parent #5212 (closed)
- Changesets:
- Revision a26408c8 by Natanael Copa on 2016-03-03T21:15:03Z:
main/squid: security upgrade to 3.5.15
fixes #5213