CVE Request: Squid HTTP Proxy

[Amos Jeffries <squid3 () treenet co nz>]

Hi,

1) A buffer overrun (on write(2)) has been found in Squid proxy 'pinger'
process that allows an attacker to craft ICMPv6 messages that will
either crash the child process (if the OS prootects against over-write)
or alter heap contents allowing the attacker to bypass CVE-2014-7142
protection and leak arbitrary heap data into the Squid log files. The
pinger is setuid root (though it does drop those privileges prior to
this attack being possible).
 This was reported by Yuriy M. Kaminskiy.

Patch for this issue is available at:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch>

The upstream advisory will be at this URL:
<http://www.squid-cache.org/Advisories/SQUID-2016_3.txt>


2) A secondary issue with the same Denial of Service effects as
CVE-2016-2569 has been found that is not covered by the existing fix.
All Squid-3.x versions up to and including 3.5.15, and 4.0.x versions up
to and including 4.0.7 are vulnerable to this issue independent of the
fix for CVE-2016-2569.
 This was reported by Santiago R. Rincón of Debian.

Patch for this is available at:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch>

The upstream advisory will be at this URL:
<http://www.squid-cache.org/Advisories/SQUID-2016_4.txt>


Both of these issues are resolved in the 4.0.8 and 3.5.16 packages which
will be available within 24hrs.


Amos Jeffries
Squid Software Foundation

Attachment: signature.asc
Description: OpenPGP digital signature