Date: Thu, 21 Apr 2016 02:29:26 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE Request: Squid HTTP Caching Proxy multiple issues Hi, several vulnerabilities have been reported in Squid proxy. A buffer overflow in the cachemgr.cgi tool reported by CESG (CESG REF: 56397140 / VULNERABILITY ID: 394201) allows remote clients to perform an indirect denial of service attack on the proxy administrator. It could be used trivially to hide other activities from inspection. Or be used to perform remote code execution on systems without overflow protection. This bug was also independently reported by Yuriy M. Kaminskiy. The cachemgr.cgi tool is vulnerable when built from; Squid-3.x up to and including 3.5.16, Squid-4.x up to and including 4.0.8, and Squid-2.x all versions. Upstream report will be at: <http://www.squid-cache.org/Advisories/SQUID-2016_5.txt> Patches at: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14643.patch> <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch> <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch> <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch> <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch> Multiple on-stack buffer overflow from incorrect bounds calculation in Squid ESI processing has been reported by CESG (CESG REF: 56284998 / VULNERABILITY ID: 393536) which allows remote code execution or denial of service if depending on the OS overflow protections which are active. Further investigation has found that when compiler optimization is applied incorrect use of assert() leads to information disclosure of stack contents to remote clients and a second buffer overflow leads to further remote code execution possibilities. Squid-2.x are not vulnerable. Squid-3.x up to and including 3.5.16, Squid-4.x up to and including 4.0.8, when built with --enable-esi and used for either CDN reverse-proxy or TLS MITM are vulnerable. Upstream report will be at: <http://www.squid-cache.org/Advisories/SQUID-2016_6.txt> Patches at: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14648.patch> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch> <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch> <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch> <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch> PS. Some of our mirrors may not be updated for up to 24hrs. The "www." in URLs can be replaced with "west." to fetch from a more up to date mirror directly if one has trouble. Amos Jeffries Squid Software Foundation [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ