svn commit: r409709 - head/security/vuxml

[Jason Unovitch]

Author: junovitch
Date: Sun Feb 28 00:50:12 2016
New Revision: 409709
URL: https://svnweb.freebsd.org/changeset/ports/409709

Log:
  Revise Squid entry with CVE assignment and SQUID-2016:2 advisory reference
  
  PR:		207454
  Reported by:	Pavel Timofeev <timp87 at gmail.com>
  Security:	CVE-2016-2569
  Security:	CVE-2016-2570
  Security:	CVE-2016-2571
  Security:	https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Feb 28 00:48:27 2016	(r409708)
+++ head/security/vuxml/vuln.xml	Sun Feb 28 00:50:12 2016	(r409709)
@@ -418,25 +418,31 @@ Notes:
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>Amos Jeffries reports:</p>
-	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/24/12">
-	  <p>The proxy contains a String object class with 64KB content limits.
-	    Some code paths do not bounds check before appending to these
-	    String and overflow leads to an assertion which terminates all
-	    client transactions using the proxy, including those unrelated to
-	    the limit being exceeded.</p>
-	  <p>Error handling for malformed HTTP responses can lead to a second
-	    assertion with the same effects as the first issue.</p>
+	<p>Squid security advisory 2016:2 reports:</p>
+	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt">
+	  <p>Due to incorrect bounds checking Squid is vulnerable to a denial
+	    of service attack when processing HTTP responses.</p>
+	  <p>These problems allow remote servers delivering certain unusual
+	    HTTP response syntax to trigger a denial of service for all
+	    clients accessing the Squid service.</p>
+	  <p>HTTP responses containing malformed headers that trigger this
+	    issue are becoming common. We are not certain at this time if
+	    that is a sign of malware or just broken server scripting.</p>
 	</blockquote>
       </body>
     </description>
     <references>
+      <cvename>CVE-2016-2569</cvename>
+      <cvename>CVE-2016-2570</cvename>
+      <cvename>CVE-2016-2571</cvename>
       <freebsdpr>ports/207454</freebsdpr>
+      <url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url>
       <url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url>
     </references>
     <dates>
       <discovery>2016-02-24</discovery>
       <entry>2016-02-24</entry>
+      <modified>2016-02-28</modified>
     </dates>
   </vuln>