[USN-2995-1] Squid vulnerabilities

Severity Medium

Affected Packages 12

CVEs 9

Several security issues were fixed in Squid.

Yuriy M. Kaminskiy discovered that the Squid pinger utility incorrectly
handled certain ICMPv6 packets. A remote attacker could use this issue to
cause Squid to crash, resulting in a denial of service, or possibly cause
Squid to leak information into log files. (CVE-2016-3947)

Yuriy M. Kaminskiy discovered that the Squid cachemgr.cgi tool incorrectly
handled certain crafted data. A remote attacker could use this issue to
cause Squid to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-4051)

It was discovered that Squid incorrectly handled certain Edge Side Includes
(ESI) responses. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-4052, CVE-2016-4053, CVE-2016-4054)

Jianjun Chen discovered that Squid did not correctly ignore the Host header
when absolute-URI is provided. A remote attacker could possibly use this
issue to conduct cache-poisoning attacks. This issue only affected Ubuntu
14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4553)

Jianjun Chen discovered that Squid incorrectly handled certain HTTP Host
headers. A remote attacker could possibly use this issue to conduct
cache-poisoning attacks. (CVE-2016-4554)

Package	Affected Version
pkg:deb/ubuntu/squidclient?distro=xenial	< 3.5.12-1ubuntu7.2
pkg:deb/ubuntu/squidclient?distro=trusty	< 3.3.8-1ubuntu6.8
pkg:deb/ubuntu/squid?distro=xenial	< 3.5.12-1ubuntu7.2
pkg:deb/ubuntu/squid?distro=trusty	< 3.3.8-1ubuntu6.8
pkg:deb/ubuntu/squid3?distro=xenial	< 3.5.12-1ubuntu7.2
pkg:deb/ubuntu/squid3?distro=trusty	< 3.3.8-1ubuntu6.8
pkg:deb/ubuntu/squid3-common?distro=trusty	< 3.3.8-1ubuntu6.8
pkg:deb/ubuntu/squid-purge?distro=xenial	< 3.5.12-1ubuntu7.2
pkg:deb/ubuntu/squid-purge?distro=trusty	< 3.3.8-1ubuntu6.8
pkg:deb/ubuntu/squid-common?distro=xenial	< 3.5.12-1ubuntu7.2
pkg:deb/ubuntu/squid-cgi?distro=xenial	< 3.5.12-1ubuntu7.2
pkg:deb/ubuntu/squid-cgi?distro=trusty	< 3.3.8-1ubuntu6.8

ID

USN-2995-1

Severity

medium

URL

https://ubuntu.com/security/notices/USN-2995-1

Published

2016-06-09T17:10:37
(8 years ago)

Modified

2016-06-09T17:10:37
(8 years ago)

Other Advisories

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform
Affected	pkg:deb/ubuntu/squidclient?distro=xenial	ubuntu	squidclient	< 3.5.12-1ubuntu7.2	xenial
Affected	pkg:deb/ubuntu/squidclient?distro=trusty	ubuntu	squidclient	< 3.3.8-1ubuntu6.8	trusty
Affected	pkg:deb/ubuntu/squid?distro=xenial	ubuntu	squid	< 3.5.12-1ubuntu7.2	xenial
Affected	pkg:deb/ubuntu/squid?distro=trusty	ubuntu	squid	< 3.3.8-1ubuntu6.8	trusty
Affected	pkg:deb/ubuntu/squid3?distro=xenial	ubuntu	squid3	< 3.5.12-1ubuntu7.2	xenial
Affected	pkg:deb/ubuntu/squid3?distro=trusty	ubuntu	squid3	< 3.3.8-1ubuntu6.8	trusty
Affected	pkg:deb/ubuntu/squid3-common?distro=trusty	ubuntu	squid3-common	< 3.3.8-1ubuntu6.8	trusty
Affected	pkg:deb/ubuntu/squid-purge?distro=xenial	ubuntu	squid-purge	< 3.5.12-1ubuntu7.2	xenial
Affected	pkg:deb/ubuntu/squid-purge?distro=trusty	ubuntu	squid-purge	< 3.3.8-1ubuntu6.8	trusty
Affected	pkg:deb/ubuntu/squid-common?distro=xenial	ubuntu	squid-common	< 3.5.12-1ubuntu7.2	xenial
Affected	pkg:deb/ubuntu/squid-cgi?distro=xenial	ubuntu	squid-cgi	< 3.5.12-1ubuntu7.2	xenial
Affected	pkg:deb/ubuntu/squid-cgi?distro=trusty	ubuntu	squid-cgi	< 3.3.8-1ubuntu6.8	trusty

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date