CVE-2016-2572
published 2016-02-27CVE-2016-2572: http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of…
PriorityP340high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
10.24%
95.1th percentile
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
squid: wrong error handling for malformed HTTP responses
vendor_redhat·2016-02-24·CVSS 7.5
CVE-2016-2572 [HIGH] CWE-228 squid: wrong error handling for malformed HTTP responses
squid: wrong error handling for malformed HTTP responses
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
It was found that squid did not properly handle errors when failing to parse an HTTP response, possibly leading to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.
For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/c
Debian
CVE-2016-2572: squid - http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a respons...
vendor_debian·2016·CVSS 7.5
CVE-2016-2572 [HIGH] CVE-2016-2572: squid - http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a respons...
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-6789-43mm-jrhx: http
ghsa_unreviewed·2022-05-14
CVE-2016-2572 [HIGH] CWE-20 GHSA-6789-43mm-jrhx: http
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
OSV
CVE-2016-2572: http
osv·2016-02-27·CVSS 7.5
CVE-2016-2572 [HIGH] CVE-2016-2572: http
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
bugzilla·2016-02-26·CVSS 7.5
CVE-2016-2571 [HIGH] CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
Error handling for malformed HTTP responses can lead to a second
assertion with the same effects as the first issue. It is not easily
triggered in Squid-3 or normally in Squid-4.
However fixing the String issue makes it become easily triggerable in
Squid-4, and we do have a history of the assertion itself being
reported as occuring already but been unable to identify the vectors
code path to replicate it yet. So we believe it can be achieved
independent of the String issues, even if we are unable so far to
identify how.
Discussion:
External references:
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
Upstream patches:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
Bugzilla
CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]
bugzilla·2016-02-26·CVSS 7.5
CVE-2016-2569 [HIGH] CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]
CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2016-08/msg00069.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2600.htmlhttp://www.openwall.com/lists/oss-security/2016/02/26/2http://www.securitytracker.com/id/1035101http://www.squid-cache.org/Advisories/SQUID-2016_2.txthttp://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patchhttps://security.gentoo.org/glsa/201607-01http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2016-08/msg00069.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2600.htmlhttp://www.openwall.com/lists/oss-security/2016/02/26/2http://www.securitytracker.com/id/1035101http://www.squid-cache.org/Advisories/SQUID-2016_2.txthttp://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patchhttps://security.gentoo.org/glsa/201607-01
2016-02-27
Published