Bugzilla – Bug 976553
VUL-0: CVE-2016-4051,CVE-2016-5408: squid,squid3: buffer overflow in cachemgr.cgi
Last modified: 2019-07-16 16:36:43 UTC
CVE-2016-4051 A buffer overflow in the cachemgr.cgi tool reported by CESG (CESG REF: 56397140 / VULNERABILITY ID: 394201) allows remote clients to perform an indirect denial of service attack on the proxy administrator. It could be used trivially to hide other activities from inspection. Or be used to perform remote code execution on systems without overflow protection. This bug was also independently reported by Yuriy M. Kaminskiy. The cachemgr.cgi tool is vulnerable when built from; Squid-3.x up to and including 3.5.16, Squid-4.x up to and including 4.0.8, and Squid-2.x all versions. Upstream report will be at: <http://www.squid-cache.org/Advisories/SQUID-2016_5.txt> Patches at: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14643.patch> <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch> <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch> <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch> <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch> References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4051 http://seclists.org/oss-sec/2016/q2/120
bugbot adjusting priority
CVE-2016-5408 was assigned for "incomplete fix of CVE-2016-4051 applied on RHEL-6.8 and RHEL-6.9." https://bugzilla.redhat.com/show_bug.cgi?id=1359203
SUSE-SU-2016:1996-1: An update that fixes 25 vulnerabilities is now available. Category: security (important) Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011 CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): squid3-3.1.23-8.16.27.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): squid3-3.1.23-8.16.27.1
SUSE-SU-2016:2008-1: An update that solves 16 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 902197,929493,938715,955783,959290,963539,968392,968393,968394,968395,973782,973783,976553,976556,979008,979009,979010,979011 CVE References: CVE-2015-3455,CVE-2015-5400,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): squid-3.3.14-20.2
openSUSE-SU-2016:2081-1: An update that solves 16 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 902197,929493,938715,955783,959290,963539,968392,968393,968394,968395,973782,973783,976553,976556,979008,979009,979010,979011 CVE References: CVE-2015-3455,CVE-2015-5400,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556 Sources used: openSUSE Leap 42.1 (src): squid-3.3.14-6.1
SUSE-SU-2016:2089-1: An update that fixes 25 vulnerabilities is now available. Category: security (important) Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011,993299 CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): squid3-3.1.23-8.16.30.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): squid3-3.1.23-8.16.30.1
SUSE-SU-2016:2147-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 976553,979010 CVE References: CVE-2016-4051,CVE-2016-4554 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): squid-2.7.STABLE5-2.12.29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): squid-2.7.STABLE5-2.12.29.1
released
This is an autogenerated message for OBS integration: This bug (976553) was mentioned in https://build.opensuse.org/request/show/701549 Factory / squid