Advisories » MGASA-2016-0133

Updated squid packages fix security vulnerabilities

Publication date: 06 Apr 2016
Modification date: 06 Apr 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3947 , CVE-2016-3948

Description

Updated squid packages fix security vulnerabilities:

Due to a buffer overrun, the Squid pinger binary in Squid before 3.5.16 is
vulnerable to a denial of service or information leak attack when processing
ICMPv6 packets. This bug also permits the server response to manipulate other
ICMP and ICMPv6 queries processing to cause information leaks (CVE-2016-3947).

Due to incorrect bounds checking, Squid before 3.5.16 is vulnerable to a
denial of service attack when processing HTTP responses (CVE-2016-3948).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18122
• http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
• http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3947
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3948

SRPMS

5/core

• squid-3.5.16-1.mga5