SUSE-SU-2016:1996

SUSE-SU-2016:2089

openSUSE-SU-2016:2081

1035457

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt

http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch

http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch

http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch

http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch

http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch

USN-2995-1

GLSA-201607-01

Versions of Squid 3.5.x prior to 3.5.15 are affected by multiple vulnerabilities :

 - A flaw is triggered when performing improper bounds checks on specially crafted HTTP responses. This may allow a remote attacker to cause a denial of service. 
 - A flaw is triggered as bounds are not properly checked when processing HTTP responses. This may allow a remote attacker to cause a denial of service for all clients accessing the service.
 - An overflow condition exists in the 'Icmp6::Recv()' function in 'icmp/Icmp6.cc' of the pinger binary. The issue is triggered as user-supplied input is not properly validated when handling specially crafted ICMPv6 packets. This may allow a remote attacker to cause a buffer overflow, crashing the pinger process or potentially leaking data into log files.

The specific version of Squid that the system is running is reportedly affected by the following vulnerabilities:

- Squid contains an overflow condition in the Icmp6::Recv() function in icmp/Icmp6.cc of the pinger binary. The issue is triggered as user-supplied input is not properly validated when handling specially crafted ICMPv6 packets. This may allow a remote attacker to cause a buffer overflow, crashing the pinger process or potentially leaking data into log files. (CVE-2016-3947)

- Squid contains a flaw that is triggered as bounds are not properly checked when processing HTTP responses. This may allow a remote attacker to cause a denial of service for all clients accessing the service. (CVE-2016-3948)


This update for squid3 fixes the following issues :

  - Multiple issues in pinger ICMP processing.
    (CVE-2014-7141, CVE-2014-7142)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2016-4554: fix header smuggling issue in HTTP     Request processing (bsc#979010)

  - Fix multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - Regression caused by the DoS fixes above (bsc#993299)

  - CVE-2016-3948: Fix denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054 :

  - fixes multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4556: fixes double free vulnerability in Esi.cc     (bsc#979008)

  - CVE-2015-5400: Improper Protection of Alternate Path     (bsc#938715)

  - CVE-2014-6270: fix off-by-one in snmp subsystem     (bsc#895773)

  - Memory leak in squid3 when using external_acl     (bsc#976708)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Squid HTTP proxy has been updated to version 3.3.14, fixing the following security issues :

  - Fixed multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2015-5400: Improper protection of alternate path.
    (bsc#938715)

  - CVE-2015-3455: Squid http proxy configured with     client-first SSL bumping did not correctly validate     server certificate. (bsc#929493)

  - CVE-2016-3948: Fixed denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054: Fixed     multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4553: Fixed cache poisoning issue in HTTP     Request handling (bsc#979009)

  - CVE-2016-4554: Fixed header smuggling issue in HTTP     Request processing (bsc#979010)

  - Fixed multiple Denial of Service issues in ESI Response     processing. (CVE-2016-4555, CVE-2016-4556, bsc#979011,     bsc#979008)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for squid3 fixes the following issues :

  - Multiple issues in pinger ICMP processing.
    (CVE-2014-7141, CVE-2014-7142)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2016-4554: fix header smuggling issue in HTTP     Request processing (bsc#979010)

  - fix multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - CVE-2016-3948: Fix denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054 :

  - fixes multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4556: fixes double free vulnerability in Esi.cc     (bsc#979008)

  - CVE-2015-5400: Improper Protection of Alternate Path     (bsc#938715)

  - CVE-2014-6270: fix off-by-one in snmp subsystem     (bsc#895773)

  - Memory leak in squid3 when using external_acl     (bsc#976708)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Squid HTTP proxy has been updated to version 3.3.14, fixing the following security issues :

  - Fixed multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2015-5400: Improper protection of alternate path.
    (bsc#938715)

  - CVE-2015-3455: Squid http proxy configured with     client-first SSL bumping did not correctly validate     server certificate. (bsc#929493)

  - CVE-2016-3948: Fixed denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054: Fixed     multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4553: Fixed cache poisoning issue in HTTP     Request handling (bsc#979009)

  - CVE-2016-4554: Fixed header smuggling issue in HTTP     Request processing (bsc#979010)

  - Fixed multiple Denial of Service issues in ESI Response     processing. (CVE-2016-4555, CVE-2016-4556, bsc#979011,     bsc#979008)

Additionally, the following non-security issues have been fixed :

  - Fix header size in script unsquid.pl. (bsc#902197)

  - Add external helper ext_session_acl to package.
    (bsc#959290)

  - Update forward_max_tries to permit 25 server paths With     cloud sites becoming more popular more CDN servers are     producing long lists of IPv6 and IPv4 addresses. If     there are not enough paths selected the IPv4 ones may     never be reached.

  - squid.init: wait that squid really dies when we kill it     on upgrade instead of proclaiming its demise prematurely     (bnc#963539)

This update was imported from the SUSE:SLE-12:Update update project.

Security fix for CVE-2016-4553, CVE-2016-4554, CVE-2016-4555, CVE-2016-4556

----

Security fix for CVE-2016-4051, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

----

Security fix for CVE-2016-3947 and CVE-2016-3948

----

Security fix for CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Bugfix

----

Security fix for CVE-2016-4553, CVE-2016-4554, CVE-2016-4555, CVE-2016-4556

----

Security fix for CVE-2016-4051, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

----

Security fix for CVE-2016-3947 and CVE-2016-3948

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201607-01 (Squid: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Squid. Please review       the CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

Yuriy M. Kaminskiy discovered that the Squid pinger utility incorrectly handled certain ICMPv6 packets. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly cause Squid to leak information into log files.
(CVE-2016-3947)

Yuriy M. Kaminskiy discovered that the Squid cachemgr.cgi tool incorrectly handled certain crafted data. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4051)

It was discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4052, CVE-2016-4053, CVE-2016-4054)

Jianjun Chen discovered that Squid did not correctly ignore the Host header when absolute-URI is provided. A remote attacker could possibly use this issue to conduct cache-poisoning attacks. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.
(CVE-2016-4553)

Jianjun Chen discovered that Squid incorrectly handled certain HTTP Host headers. A remote attacker could possibly use this issue to conduct cache-poisoning attacks. (CVE-2016-4554)

It was discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service.
(CVE-2016-4555, CVE-2016-4556).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Squid security advisory 2016:3 reports :

Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets.

This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak.

This bug allows any remote server to perform a denial of service attack on the Squid service by crashing the pinger. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures.

If the system does not contain buffer-overrun protection leading to that crash this bug will instead allow attackers to leak arbitrary amounts of information from the heap into Squid log files. This is of higher importance than usual because the pinger process operates with root priviliges.

Squid security advisory 2016:4 reports :

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

ID	Name	Product	Family	Severity
9774	Squid 3.5.x < 3.5.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
802030	Squid 3.x < 3.5.16, 4.0.x < 4.0.8 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
93294	SUSE SLES11 Security Update : squid3 (SUSE-SU-2016:2089-1)	Nessus	SuSE Local Security Checks	high
93279	SUSE SLES12 Security Update : squid (SUSE-SU-2016:2008-1)	Nessus	SuSE Local Security Checks	high
93271	SUSE SLES11 Security Update : squid3 (SUSE-SU-2016:1996-1)	Nessus	SuSE Local Security Checks	high
92994	openSUSE Security Update : squid (openSUSE-2016-988)	Nessus	SuSE Local Security Checks	high
92285	Fedora 23 : 7:squid (2016-b3b9407940)	Nessus	Fedora Local Security Checks	high
92268	Fedora 24 : 7:squid (2016-95edf19d8a)	Nessus	Fedora Local Security Checks	high
91982	GLSA-201607-01 : Squid: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
91558	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : squid3 vulnerabilities (USN-2995-1)	Nessus	Ubuntu Local Security Checks	high
90334	FreeBSD : squid -- multiple vulnerabilities (297117ba-f92d-11e5-92ce-002590263bf5)	Nessus	FreeBSD Local Security Checks	high

CVE-2016-3947

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

high

high

high

high

high

high

high

high

high

high