Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160506144641.EE41F72E00D@smtpvbsrv1.mitre.org>
Date: Fri,  6 May 2016 10:46:41 -0400 (EDT)
From: cve-assign@...re.org
To: squid3@...enet.co.nz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Squid HTTP caching proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 1) Cache Poisoning issue in HTTP Request handling
> Advisory at http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
> Patch at
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
> 
>   When absolute-URI is provided Host header should be ignored. However some
>   code still uses Host directly so normalize it using the URL authority
>   value before doing any further request processing.
>   
>   For now preserve the case where Host is completely absent.

Use CVE-2016-4553.


> 2) Header Smuggling issue in HTTP Request processing
> Advisory at http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
> 
> Patches at:
>  http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10496.patch
>  ...
>  http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch
> 
> Require exact match in Host header name lookup
> 
> - while (xisspace(*p))
> -     ++p;

Use CVE-2016-4554.


> 3) Multiple Denial of Service issues in ESI Response processing.
> Advisory at http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
> 
> Patches at:
>  http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch
>  http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch

> Due to incorrect pointer handling and reference counting Squid is
> vulnerable to a denial of service attack when processing ESI
> responses.
> 
> These problems allow a remote server delivering certain ESI
> response syntax to trigger a denial of service for all clients
> accessing the Squid service.

Use CVE-2016-4555 for the vulnerability in client_side_request.cc -
here, "if (aConn)" was added.

Use CVE-2016-4556 for the vulnerability in Esi.cc - it is
described as "was being unlocked without having been locked."


> Due to unrelated changes Squid-3.5 has become vulnerable to some
> regular ESI server responses also triggering one or more of these
> issues.
> 
> This bug is fixed by Squid version 3.5.18 and 4.0.10.

As far as we can tell, this does not really mean that there is an
additional vulnerability in 3.5.17 that did not exist in 4.0.9.
Instead, it means that the vulnerabilities are the same, but in 3.5.x
people might notice the vulnerabilities being exploited accidentally.


> (URLs below are now all public, but some of our mirrors may take a few
> more hours to pick up the changes).

This means, for example, that the URLs work if one manually locates
all instances of www.squid-cache.org and inserts www1.jp.squid-cache.org
instead. See http://www.squid-cache.org/Download/http-mirrors.html
for other options.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXLK2sAAoJEHb/MwWLVhi2dv4P/307N7HayVoijH0rHVfU6E1b
Ncy7dciziT5ErGQNLvF8vdSbGoMtWy8hIPyqcU6J/ajfeQ5eYxTl6ZAChoa0AUPK
xwhgk29TjA33NeqL+/YzRqTdkCMdeydU/sIGPXbUHuumHRVlLkOf49LgaONZaO3o
c0RdQGs5Ncy5yTGeh7mZjSKLTw/N2QShJNWt7NRPfwdWADuz5FFEBywL9MNQtQen
GLso1f9fTezKsfV7Ph+KECCAWOJq9kekG1awfhn6mGX/urp5VtgZW6Ro9/5TCATc
lbiN0s3Cj7toRfbs/0w2xpjFMttn50bWG/ohIcb52rReTMJSPY5MQLUpcBtPrsHq
ICWo9gcIilkPeol+kzAPRWM8zqbeZBwHomLjWcKhBXZyDaZpSKxp9Dimypt22pUV
g7OXwrn/L2VaIrH4pm8RikCSes7cSi1Ef7TgwpkOL1xfCmqO7BupWHB/168A0bL9
eiqcDyWGz/TJr5I7yAJcBQECAu7H3n+hclSBoqrOHhS3u13FNdAxdUWn2Gsp8Rw1
A06zfz4Q2bF+6UTmjQztPgUrKIW77hDJwOP2/gmv2ruegig2QwAqEH1/LeTLbjSq
qSdkKWKLD5xzCXnc0p4rqBusfU2KR9bpLPZ46VF6TcEr97LgtSd4G8d/2+kUkVVp
OHALUwfR5fbWjM1IW5Bx
=Zucs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.