CVE-2016-4053

Name	CVE-2016-4053
Description	Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-478-1, DSA-3625-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
squid (PTS)	bullseye	4.13-10+deb11u3	fixed
	bullseye (security)	4.13-10+deb11u4	fixed
	bookworm, bookworm (security)	5.7-2+deb12u2	fixed
	sid, trixie	6.13-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
squid	source	(unstable)	(not affected)
squid3	source	wheezy	3.1.20-2.2+deb7u5	DLA-478-1
squid3	source	jessie	3.4.8-6+deb8u3	DSA-3625-1
squid3	source	(unstable)	3.5.17-1

Notes

- squid <not-affected> (Squid 2.x are not vulnerable)
http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch (Squid 3.2)
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch (Squid 3.3)
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch (Squid 3.4)
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch (Squid 3.5)