[USN-2995-1] Squid vulnerabilities

Fabricante: Ubuntu
Fecha: 09/06/2016
Identificador: USN-2995-1
[USN-2995-1] Squid vulnerabilities
========================================================================== Ubuntu Security Notice USN-2995-1 June 09, 2016 squid3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Squid. Software Description: - squid3: Web proxy cache server Details: Yuriy M. Kaminskiy discovered that the Squid pinger utility incorrectly handled certain ICMPv6 packets. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly cause Squid to leak information into log files. (CVE-2016-3947) Yuriy M. Kaminskiy discovered that the Squid cachemgr.cgi tool incorrectly handled certain crafted data. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4051) It was discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4052, CVE-2016-4053, CVE-2016-4054) Jianjun Chen discovered that Squid did not correctly ignore the Host header when absolute-URI is provided. A remote attacker could possibly use this issue to conduct cache-poisoning attacks. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4553) Jianjun Chen discovered that Squid incorrectly handled certain HTTP Host headers. A remote attacker could possibly use this issue to conduct cache-poisoning attacks. (CVE-2016-4554) It was discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2016-4555, CVE-2016-4556) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: squid-cgi 3.5.12-1ubuntu7.2 squid3 3.5.12-1ubuntu7.2 Ubuntu 15.10: squid-cgi 3.3.8-1ubuntu16.3 squid3 3.3.8-1ubuntu16.3 Ubuntu 14.04 LTS: squid-cgi 3.3.8-1ubuntu6.8 squid3 3.3.8-1ubuntu6.8 Ubuntu 12.04 LTS: squid-cgi 3.1.19-1ubuntu3.12.04.7 squid3 3.1.19-1ubuntu3.12.04.7 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2995-1 CVE-2016-3947, CVE-2016-4051, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054, CVE-2016-4553, CVE-2016-4554, CVE-2016-4555, CVE-2016-4556 Package Information: https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.2 https://launchpad.net/ubuntu/+source/squid3/3.3.8-1ubuntu16.3 https://launchpad.net/ubuntu/+source/squid3/3.3.8-1ubuntu6.8 https://launchpad.net/ubuntu/+source/squid3/3.1.19-1ubuntu3.12.04.7 --