Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <57179246.30207@treenet.co.nz>
Date: Thu, 21 Apr 2016 02:29:26 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE Request: Squid HTTP Caching Proxy multiple issues

Hi,
 several vulnerabilities have been reported in Squid proxy.


A buffer overflow in the cachemgr.cgi tool reported by CESG (CESG REF:
56397140 / VULNERABILITY ID: 394201) allows remote clients to perform an
indirect denial of service attack on the proxy administrator. It could
be used trivially to hide other activities from inspection. Or be used
to perform remote code execution on systems without overflow protection.

This bug was also independently reported by Yuriy M. Kaminskiy.

The cachemgr.cgi tool is vulnerable when built from;
Squid-3.x up to and including 3.5.16,
Squid-4.x up to and including 4.0.8, and
Squid-2.x all versions.

Upstream report will be at:
 <http://www.squid-cache.org/Advisories/SQUID-2016_5.txt>

Patches at:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14643.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch>
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch>
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch>
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch>



Multiple on-stack buffer overflow from incorrect bounds calculation in
Squid ESI processing has been reported by CESG (CESG REF: 56284998 /
VULNERABILITY ID: 393536) which allows remote code execution or denial
of service if depending on the OS overflow protections which are active.

Further investigation has found that when compiler optimization is
applied incorrect use of assert() leads to information disclosure of
stack contents to remote clients and a second buffer overflow leads to
further remote code execution possibilities.

Squid-2.x are not vulnerable.
Squid-3.x up to and including 3.5.16,
Squid-4.x up to and including 4.0.8,
 when built with --enable-esi and used for either CDN reverse-proxy or
TLS MITM are vulnerable.

Upstream report will be at:
 <http://www.squid-cache.org/Advisories/SQUID-2016_6.txt>

Patches at:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14648.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch>
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch>
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch>
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch>



PS. Some of our mirrors may not be updated for up to 24hrs. The "www."
in URLs can be replaced with "west." to fetch from a more up to date
mirror directly if one has trouble.


Amos Jeffries
Squid Software Foundation



Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.