CVE-2016-2571
published 2016-02-27CVE-2016-2571: http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP…
PriorityP339high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
9.36%
94.8th percentile
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
Affected
134 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid regression
vendor_ubuntu·2022-12-12·CVSS 7.5
[HIGH] Squid regression
Title: Squid regression
Summary: USN-3557-1 introduced a regression in Squid.
USN-3557-1 fixed vulnerabilities in Squid. This update introduced a regression
which could cause the cache log to be filled with many Vary loop messages. This
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Mathias Fischer discovered that Squid incorrectly handled certain long
strings in headers. A malicious remote server could possibly cause Squid to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2016-2569)
William Lima discovered that Squid incorrectly handled XML parsing when
processing Edge Side Includes (ESI). A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service. This is
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2018-02-05·CVSS 7.5
CVE-2016-2569 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Mathias Fischer discovered that Squid incorrectly handled certain long
strings in headers. A malicious remote server could possibly cause Squid to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2016-2569)
William Lima discovered that Squid incorrectly handled XML parsing when
processing Edge Side Includes (ESI). A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service. This issue
was only addressed in Ubuntu 16.04 LTS. (CVE-2016-2570)
Alex Rousskov discovered that Squid incorrectly handled response-parsing
failures. A malicious remote server could possibly cause Squid to crash,
resulting in a denial of service. This
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2016-03-07·CVSS 6.8
CVE-2014-6270 [MEDIUM] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Sebastian Krahmer discovered that Squid incorrectly handled certain SNMP
requests. If SNMP is enabled, a remote attacker could use this issue to
cause Squid to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-6270)
Alex Rousskov discovered that Squid incorrectly handled certain malformed
responses. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. (CVE-2016-2571)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid: wrong error handling for malformed HTTP responses
vendor_redhat·2016-02-24·CVSS 7.5
CVE-2016-2571 [HIGH] CWE-228 squid: wrong error handling for malformed HTTP responses
squid: wrong error handling for malformed HTTP responses
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
It was found that squid did not properly handle errors when failing to parse an HTTP response, possibly leading to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.
For additional information, refer to the Issue Severity Classification: https://acc
Debian
CVE-2016-2571: squid - http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storag...
vendor_debian·2016·CVSS 7.5
CVE-2016-2571 [HIGH] CVE-2016-2571: squid - http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storag...
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
squid3 regression
osv·2022-12-12·CVSS 7.5
[HIGH] squid3 regression
squid3 regression
USN-3557-1 fixed vulnerabilities in Squid. This update introduced a regression
which could cause the cache log to be filled with many Vary loop messages. This
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Mathias Fischer discovered that Squid incorrectly handled certain long
strings in headers. A malicious remote server could possibly cause Squid to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2016-2569)
William Lima discovered that Squid incorrectly handled XML parsing when
processing Edge Side Includes (ESI). A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service. This issue
was only addressed in Ubuntu 16.04 LTS. (CVE-2016-2570)
GHSA
GHSA-rwpp-43vh-q454: http
ghsa_unreviewed·2022-05-14
CVE-2016-2571 [HIGH] CWE-20 GHSA-rwpp-43vh-q454: http
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
OSV
squid3 vulnerabilities
osv·2018-02-05·CVSS 7.5
CVE-2016-2569 [HIGH] squid3 vulnerabilities
squid3 vulnerabilities
Mathias Fischer discovered that Squid incorrectly handled certain long
strings in headers. A malicious remote server could possibly cause Squid to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2016-2569)
William Lima discovered that Squid incorrectly handled XML parsing when
processing Edge Side Includes (ESI). A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service. This issue
was only addressed in Ubuntu 16.04 LTS. (CVE-2016-2570)
Alex Rousskov discovered that Squid incorrectly handled response-parsing
failures. A malicious remote server could possibly cause Squid to crash,
resulting in a denial of service. This issue only applied to Ubuntu 16.04
LTS. (CVE-2016-2571)
Sant
OSV
squid3 vulnerabilities
osv·2016-03-07·CVSS 6.8
CVE-2014-6270 [MEDIUM] squid3 vulnerabilities
squid3 vulnerabilities
Sebastian Krahmer discovered that Squid incorrectly handled certain SNMP
requests. If SNMP is enabled, a remote attacker could use this issue to
cause Squid to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-6270)
Alex Rousskov discovered that Squid incorrectly handled certain malformed
responses. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. (CVE-2016-2571)
OSV
CVE-2016-2571: http
osv·2016-02-27·CVSS 7.5
CVE-2016-2571 [HIGH] CVE-2016-2571: http
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
bugzilla·2016-02-26·CVSS 7.5
CVE-2016-2571 [HIGH] CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
Error handling for malformed HTTP responses can lead to a second
assertion with the same effects as the first issue. It is not easily
triggered in Squid-3 or normally in Squid-4.
However fixing the String issue makes it become easily triggerable in
Squid-4, and we do have a history of the assertion itself being
reported as occuring already but been unable to identify the vectors
code path to replicate it yet. So we believe it can be achieved
independent of the String issues, even if we are unable so far to
identify how.
Discussion:
External references:
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
Upstream patches:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
Bugzilla
CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]
bugzilla·2016-02-26·CVSS 7.5
CVE-2016-2569 [HIGH] CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]
CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2016-08/msg00069.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2600.htmlhttp://www.debian.org/security/2016/dsa-3522http://www.openwall.com/lists/oss-security/2016/02/26/2http://www.securitytracker.com/id/1035101http://www.squid-cache.org/Advisories/SQUID-2016_2.txthttp://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patchhttp://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patchhttp://www.ubuntu.com/usn/USN-2921-1https://security.gentoo.org/glsa/201607-01https://usn.ubuntu.com/3557-1/http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2016-08/msg00069.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2600.htmlhttp://www.debian.org/security/2016/dsa-3522http://www.openwall.com/lists/oss-security/2016/02/26/2http://www.securitytracker.com/id/1035101http://www.squid-cache.org/Advisories/SQUID-2016_2.txthttp://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patchhttp://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patchhttp://www.ubuntu.com/usn/USN-2921-1https://security.gentoo.org/glsa/201607-01https://usn.ubuntu.com/3557-1/
2016-02-27
Published