Bug 1329136 (CVE-2016-4052, CVE-2016-4053, CVE-2016-4054, SQUID-2016:6)
Summary: | CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 squid: multiple issues in ESI processing | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bnater, carnil, cbuissar, henrik, jonathansteffan, luhliari, psimerda, thozza |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | squid 3.5.17, squid 4.0.9 | Doc Type: | Bug Fix |
Doc Text: |
Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-09 12:44:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1329144, 1330572, 1330573, 1330574, 1330575, 1330576, 1330577 | ||
Bug Blocks: | 1329143 |
Description
Andrej Nemec
2016-04-21 09:37:00 UTC
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1329144] CVE assignments: http://seclists.org/oss-sec/2016/q2/120 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1139 https://access.redhat.com/errata/RHSA-2016:1139 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1140 https://access.redhat.com/errata/RHSA-2016:1140 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1138 https://access.redhat.com/errata/RHSA-2016:1138 squid-3.5.19-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. squid-3.5.10-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |