[manjaro-security] [arch-security] [ASA-201604-4] Squid: denial of service

Jelle van der Waa jelle at archlinux.org
Sat Apr 2 16:21:27 CEST 2016


Arch Linux Security Advisory ASA-201604-4
=========================================

Severity: Low, Medium, High, Critical
Date    : 2016-04-02
CVE-ID  : CVE-2016-3947
Package : squid
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package squid before version 3.5.16-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 3.5.16-1.

# pacman -Syu "squid>=3.5.16-1"

The problem has been fixed upstream in version 3.5.16.

Workaround
==========

None.

Description
===========

Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.

Impact
======

This problem allows a malicious client script and remote server
delivering certain unusual HTTP response syntax to trigger a
denial of service for all clients accessing the Squid service.

References
==========

http://article.gmane.org/gmane.comp.security.oss.general/19234
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160402/880b1113/attachment.pgp>


More information about the manjaro-security mailing list