svn commit: r409709 - head/security/vuxml
Jason Unovitch
junovitch at FreeBSD.org
Sun Feb 28 00:50:13 UTC 2016
Author: junovitch
Date: Sun Feb 28 00:50:12 2016
New Revision: 409709
URL: https://svnweb.freebsd.org/changeset/ports/409709
Log:
Revise Squid entry with CVE assignment and SQUID-2016:2 advisory reference
PR: 207454
Reported by: Pavel Timofeev <timp87 at gmail.com>
Security: CVE-2016-2569
Security: CVE-2016-2570
Security: CVE-2016-2571
Security: https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Feb 28 00:48:27 2016 (r409708)
+++ head/security/vuxml/vuln.xml Sun Feb 28 00:50:12 2016 (r409709)
@@ -418,25 +418,31 @@ Notes:
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Amos Jeffries reports:</p>
- <blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/24/12">
- <p>The proxy contains a String object class with 64KB content limits.
- Some code paths do not bounds check before appending to these
- String and overflow leads to an assertion which terminates all
- client transactions using the proxy, including those unrelated to
- the limit being exceeded.</p>
- <p>Error handling for malformed HTTP responses can lead to a second
- assertion with the same effects as the first issue.</p>
+ <p>Squid security advisory 2016:2 reports:</p>
+ <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt">
+ <p>Due to incorrect bounds checking Squid is vulnerable to a denial
+ of service attack when processing HTTP responses.</p>
+ <p>These problems allow remote servers delivering certain unusual
+ HTTP response syntax to trigger a denial of service for all
+ clients accessing the Squid service.</p>
+ <p>HTTP responses containing malformed headers that trigger this
+ issue are becoming common. We are not certain at this time if
+ that is a sign of malware or just broken server scripting.</p>
</blockquote>
</body>
</description>
<references>
+ <cvename>CVE-2016-2569</cvename>
+ <cvename>CVE-2016-2570</cvename>
+ <cvename>CVE-2016-2571</cvename>
<freebsdpr>ports/207454</freebsdpr>
+ <url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url>
<url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url>
</references>
<dates>
<discovery>2016-02-24</discovery>
<entry>2016-02-24</entry>
+ <modified>2016-02-28</modified>
</dates>
</vuln>
More information about the svn-ports-all
mailing list