Date: Sat, 2 Apr 2016 10:22:03 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: CVE Request: Squid HTTP Proxy Hi, 1) A buffer overrun (on write(2)) has been found in Squid proxy 'pinger' process that allows an attacker to craft ICMPv6 messages that will either crash the child process (if the OS prootects against over-write) or alter heap contents allowing the attacker to bypass CVE-2014-7142 protection and leak arbitrary heap data into the Squid log files. The pinger is setuid root (though it does drop those privileges prior to this attack being possible). This was reported by Yuriy M. Kaminskiy. Patch for this issue is available at: <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch> The upstream advisory will be at this URL: <http://www.squid-cache.org/Advisories/SQUID-2016_3.txt> 2) A secondary issue with the same Denial of Service effects as CVE-2016-2569 has been found that is not covered by the existing fix. All Squid-3.x versions up to and including 3.5.15, and 4.0.x versions up to and including 4.0.7 are vulnerable to this issue independent of the fix for CVE-2016-2569. This was reported by Santiago R. Rincón of Debian. Patch for this is available at: <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch> The upstream advisory will be at this URL: <http://www.squid-cache.org/Advisories/SQUID-2016_4.txt> Both of these issues are resolved in the 4.0.8 and 3.5.16 packages which will be available within 24hrs. Amos Jeffries Squid Software Foundation Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ