Date: Fri, 6 May 2016 10:46:41 -0400 (EDT) From: cve-assign@...re.org To: squid3@...enet.co.nz Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Squid HTTP caching proxy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > 1) Cache Poisoning issue in HTTP Request handling > Advisory at http://www.squid-cache.org/Advisories/SQUID-2016_7.txt > Patch at > http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch > > When absolute-URI is provided Host header should be ignored. However some > code still uses Host directly so normalize it using the URL authority > value before doing any further request processing. > > For now preserve the case where Host is completely absent. Use CVE-2016-4553. > 2) Header Smuggling issue in HTTP Request processing > Advisory at http://www.squid-cache.org/Advisories/SQUID-2016_8.txt > > Patches at: > http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10496.patch > ... > http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch > > Require exact match in Host header name lookup > > - while (xisspace(*p)) > - ++p; Use CVE-2016-4554. > 3) Multiple Denial of Service issues in ESI Response processing. > Advisory at http://www.squid-cache.org/Advisories/SQUID-2016_9.txt > > Patches at: > http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch > http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch > Due to incorrect pointer handling and reference counting Squid is > vulnerable to a denial of service attack when processing ESI > responses. > > These problems allow a remote server delivering certain ESI > response syntax to trigger a denial of service for all clients > accessing the Squid service. Use CVE-2016-4555 for the vulnerability in client_side_request.cc - here, "if (aConn)" was added. Use CVE-2016-4556 for the vulnerability in Esi.cc - it is described as "was being unlocked without having been locked." > Due to unrelated changes Squid-3.5 has become vulnerable to some > regular ESI server responses also triggering one or more of these > issues. > > This bug is fixed by Squid version 3.5.18 and 4.0.10. As far as we can tell, this does not really mean that there is an additional vulnerability in 3.5.17 that did not exist in 4.0.9. Instead, it means that the vulnerabilities are the same, but in 3.5.x people might notice the vulnerabilities being exploited accidentally. > (URLs below are now all public, but some of our mirrors may take a few > more hours to pick up the changes). This means, for example, that the URLs work if one manually locates all instances of www.squid-cache.org and inserts www1.jp.squid-cache.org instead. See http://www.squid-cache.org/Download/http-mirrors.html for other options. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXLK2sAAoJEHb/MwWLVhi2dv4P/307N7HayVoijH0rHVfU6E1b Ncy7dciziT5ErGQNLvF8vdSbGoMtWy8hIPyqcU6J/ajfeQ5eYxTl6ZAChoa0AUPK xwhgk29TjA33NeqL+/YzRqTdkCMdeydU/sIGPXbUHuumHRVlLkOf49LgaONZaO3o c0RdQGs5Ncy5yTGeh7mZjSKLTw/N2QShJNWt7NRPfwdWADuz5FFEBywL9MNQtQen GLso1f9fTezKsfV7Ph+KECCAWOJq9kekG1awfhn6mGX/urp5VtgZW6Ro9/5TCATc lbiN0s3Cj7toRfbs/0w2xpjFMttn50bWG/ohIcb52rReTMJSPY5MQLUpcBtPrsHq ICWo9gcIilkPeol+kzAPRWM8zqbeZBwHomLjWcKhBXZyDaZpSKxp9Dimypt22pUV g7OXwrn/L2VaIrH4pm8RikCSes7cSi1Ef7TgwpkOL1xfCmqO7BupWHB/168A0bL9 eiqcDyWGz/TJr5I7yAJcBQECAu7H3n+hclSBoqrOHhS3u13FNdAxdUWn2Gsp8Rw1 A06zfz4Q2bF+6UTmjQztPgUrKIW77hDJwOP2/gmv2ruegig2QwAqEH1/LeTLbjSq qSdkKWKLD5xzCXnc0p4rqBusfU2KR9bpLPZ46VF6TcEr97LgtSd4G8d/2+kUkVVp OHALUwfR5fbWjM1IW5Bx =Zucs -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.