Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Squid 3.5.x < 3.5.17 Multiple Vulnerabilities

Medium

Synopsis

The remote proxy server is affected by multiple attack vectors.

Description

Versions of Squid 3.5.x prior to 3.5.17 are affected by multiple vulnerabilities :

- A flaw in 'esi/Esi.cc' is triggered as input is not properly validated when handling ESI responses. This may allow a remote attacker to disclose the server stack layout. (OSVDB 137402) - An overflow condition in 'esi/Esi.cc' is triggered as user-supplied input is not properly validated when handling ESI responses. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (OSVDB 137403) - An assertion flaw in 'esi/Esi.cc' is triggered as input is not properly validated when handling ESI responses. This may allow a remote attacker to terminate the service. (OSVDB 137404) - An overflow condition is triggered as user-supplied input is not properly validated when processing the length of content lines in reports by the 'cachemgr.cgi' tool. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (OSVDB 137405)

Solution

Either upgrade to Squid version 3.5.17 or later, or apply the vendor-supplied patch.