CVE-2016-2570

NameCVE-2016-2570
DescriptionThe Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs816011

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid3 (PTS)jessie3.4.8-6+deb8u4vulnerable
jessie (security)3.4.8-6+deb8u5vulnerable
stretch (security), stretch3.5.23-5+deb9u1fixed
buster, sid3.5.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)(not affected)
squid3source(unstable)3.5.15-1medium816011

Notes

[jessie] - squid3 <no-dsa> (Minor issue, needs substantial backporting; too intrusive to backport)
[wheezy] - squid3 <no-dsa> (Minor issue, needs substantial backporting; too intrusive to backport)
- squid <not-affected> (Vulnerable code not present)
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch
http://bugs.squid-cache.org/show_bug.cgi?id=3870
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch
Upstream confirmed it does not affect squid 2.7.x
It's maybe too instrusive to fix in 3.1 (squeeze and wheezy).

Search for package or bug name: Reporting problems