Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri,  1 Apr 2016 18:09:24 -0400 (EDT)
From: cve-assign@...re.org
To: squid3@...enet.co.nz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Squid HTTP Proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 1) A buffer overrun (on write(2)) has been found in Squid proxy 'pinger'
> process that allows an attacker to craft ICMPv6 messages that will
> either crash the child process (if the OS prootects against over-write)
> or alter heap contents allowing the attacker to bypass CVE-2014-7142
> protection and leak arbitrary heap data into the Squid log files. The
> pinger is setuid root (though it does drop those privileges prior to
> this attack being possible).
> 
> Patch for this issue is available at:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch
> 
> The upstream advisory will be at this URL:
> http://www.squid-cache.org/Advisories/SQUID-2016_3.txt

Use CVE-2016-3947.


> 2) A secondary issue with the same Denial of Service effects as
> CVE-2016-2569 has been found that is not covered by the existing fix.
> All Squid-3.x versions up to and including 3.5.15, and 4.0.x versions up
> to and including 4.0.7 are vulnerable to this issue independent of the
> fix for CVE-2016-2569.
> 
> Patch for this is available at:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch
> 
> The upstream advisory will be at this URL:
> http://www.squid-cache.org/Advisories/SQUID-2016_4.txt

Use CVE-2016-3948.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW/vEJAAoJEL54rhJi8gl5CDQQAKX+bY+PFOebFBtOrDhYR7tI
4zbp+0MHv8pZjM+o6xW1tU1zYl/+VwCt2qv/O3R4Gt7JWZfOQthrwA1yzU3fNku7
kI6aQZWVisiY6gsjI9Wj1Sfklehm9qSTDXyesMy+RB+oXNqhhR3l9B1GzLwMIcOH
I4chWJNXKoU1o3YWp27cnfLg4QgLzQn7pKLx+rpuOh//oFwfuOkWf3cNLXrRYLew
JDnwc3l+XmwHRtkX/E+su8ipC1dmxovtvqfQtjkjPmuosElSP3RgvtiMro3iK3MV
WF6vM+dV7cAa//mZPd8GDzSeAPYLjiSovwhNWAmW4AlsEpUvGdO5SJ3HrThuhaku
7Lwx9BoRjH2yNqZl23jsLnwTTL2U5DjDePjpVzfKtaIDh5ccam1zHui7g8/j6Hpa
cmWlrlFhhB/FeUNR3EdYrPUF60AcapqJu4sQcpiMdPVFtDnxySj4XKe9yqbvNG3w
OoFxeqOs4n9D2bEA5yTcF5DjbYN/EK08cz7pAi1kUjdbtcG6DeTprJpfvwzjleY5
lx7NFYAJe1I0V7ZplDsUacMuN0AbPDqbkpZ46oWLkiDPassty66SLnVoepsMAlrh
8WF3zq19oyjUMp5gsxUEonZ4f4cVVNlD+jL/BDdWrbRBSvtw+ceQAwCvkFnS20Sh
NcYcZZpfjqharCUG2qxn
=ZN5k
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.