Bug 968392 - (CVE-2016-2569) VUL-0: CVE-2016-2569: squid, squid3: Multiple DoS issues in HTTP Response processing
(CVE-2016-2569)
VUL-0: CVE-2016-2569: squid, squid3: Multiple DoS issues in HTTP Response pro...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/162263/
CVSSv2:SUSE:CVE-2016-2569:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-26 09:48 UTC by Alexander Bergmann
Modified: 2019-07-16 16:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-26 09:48:01 UTC
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

First issue;
 the proxy contains a String object class with 64KB content limits.
Some code paths do not bounds check before appending to these String
and overflow leads to an assertion which terminates all client
transactions using the proxy, including those unrelated to the limit
being exceeded.

A PoC has already been published for one attack vector using HTTP
"Vary" response header. When the Vary pattern presented by a server
expands to more than 64KB the DoS is triggered. For example:
 Vary: Cookie,Cookie,Cookie,Cookie,...
However, there are currently 4 known distinct vectors (types of
remotely provided input) with varying degrees of difficulty to trigger
the assertion.

Patch URLs that workaround 3 of those vectors (though not fully solve) are:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch

----------------
Use CVE-2016-2569 for both squid-3.5-13991.patch and
squid-4-14552.patch. There is (currently) no CVE ID for the remaining
unsolved problem associated with this "though not fully solve"
statement.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2569
http://seclists.org/oss-sec/2016/q1/442
Comment 1 Swamp Workflow Management 2016-02-26 23:00:40 UTC
bugbot adjusting priority
Comment 7 Swamp Workflow Management 2016-08-09 15:13:24 UTC
SUSE-SU-2016:1996-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011
CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.27.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.27.1
Comment 8 Swamp Workflow Management 2016-08-09 15:29:20 UTC
SUSE-SU-2016:2008-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 902197,929493,938715,955783,959290,963539,968392,968393,968394,968395,973782,973783,976553,976556,979008,979009,979010,979011
CVE References: CVE-2015-3455,CVE-2015-5400,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    squid-3.3.14-20.2
Comment 9 Swamp Workflow Management 2016-08-16 13:10:05 UTC
openSUSE-SU-2016:2081-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 902197,929493,938715,955783,959290,963539,968392,968393,968394,968395,973782,973783,976553,976556,979008,979009,979010,979011
CVE References: CVE-2015-3455,CVE-2015-5400,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
openSUSE Leap 42.1 (src):    squid-3.3.14-6.1
Comment 10 Swamp Workflow Management 2016-08-16 16:09:49 UTC
SUSE-SU-2016:2089-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011,993299
CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.30.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.30.1
Comment 11 Marcus Meissner 2016-12-19 10:36:35 UTC
released
Comment 12 Swamp Workflow Management 2019-05-08 11:31:08 UTC
This is an autogenerated message for OBS integration:
This bug (968392) was mentioned in
https://build.opensuse.org/request/show/701549 Factory / squid