Arch Linux Security Advisory ASA-201604-14 ========================================== Severity: Critical Date : 2016-04-23 CVE-ID : CVE-2016-4051 CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 Package : squid Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package squid before version 3.5.17-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service. Resolution ========== Upgrade to 3.5.17-1. # pacman -Syu "squid>=3.5.17-1" The problems have been fixed upstream in version 3.5.17. Workaround ========== None. Description =========== - CVE-2016-4051 (denial of service) Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid. - CVE-2016-4052 (denial of service) Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. - CVE-2016-4053 (information disclosure) Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. - CVE-2016-4054 (arbitrary code execution) Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses. Impact ====== A remote attacker is able to execute arbitrary code, disclose sensitive information or perform a denial of service attack via multiple vulnerabilities. References ========== http://www.squid-cache.org/Advisories/SQUID-2016_5.txt http://www.squid-cache.org/Advisories/SQUID-2016_6.txt https://access.redhat.com/security/cve/CVE-2016-4051 https://access.redhat.com/security/cve/CVE-2016-4052 https://access.redhat.com/security/cve/CVE-2016-4053 https://access.redhat.com/security/cve/CVE-2016-4054