[arch-security] [ASA-201604-4] Squid: denial of service
Jelle van der Waa
jelle at archlinux.org
Sat Apr 2 14:21:27 UTC 2016
Arch Linux Security Advisory ASA-201604-4
=========================================
Severity: Low, Medium, High, Critical
Date : 2016-04-02
CVE-ID : CVE-2016-3947
Package : squid
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package squid before version 3.5.16-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 3.5.16-1.
# pacman -Syu "squid>=3.5.16-1"
The problem has been fixed upstream in version 3.5.16.
Workaround
==========
None.
Description
===========
Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.
Impact
======
This problem allows a malicious client script and remote server
delivering certain unusual HTTP response syntax to trigger a
denial of service for all clients accessing the Squid service.
References
==========
http://article.gmane.org/gmane.comp.security.oss.general/19234
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160402/880b1113/attachment.asc>
More information about the arch-security
mailing list