968392 – (CVE-2016-2569) VUL-0: CVE-2016-2569: squid, squid3: Multiple DoS issues in HTTP Response processing

Bug 968392 (CVE-2016-2569) - VUL-0: CVE-2016-2569: squid, squid3: Multiple DoS issues in HTTP Response processing

Summary: VUL-0: CVE-2016-2569: squid, squid3: Multiple DoS issues in HTTP Response pro...

Status:	RESOLVED FIXED

Alias:	CVE-2016-2569

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/162263/
Whiteboard:	CVSSv2:SUSE:CVE-2016-2569:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-02-26 09:48 UTC by Alexander Bergmann
Modified:	2019-07-16 16:36 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2016-02-26 09:48:01 UTC

http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

First issue;
 the proxy contains a String object class with 64KB content limits.
Some code paths do not bounds check before appending to these String
and overflow leads to an assertion which terminates all client
transactions using the proxy, including those unrelated to the limit
being exceeded.

A PoC has already been published for one attack vector using HTTP
"Vary" response header. When the Vary pattern presented by a server
expands to more than 64KB the DoS is triggered. For example:
 Vary: Cookie,Cookie,Cookie,Cookie,...
However, there are currently 4 known distinct vectors (types of
remotely provided input) with varying degrees of difficulty to trigger
the assertion.

Patch URLs that workaround 3 of those vectors (though not fully solve) are:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch

----------------
Use CVE-2016-2569 for both squid-3.5-13991.patch and
squid-4-14552.patch. There is (currently) no CVE ID for the remaining
unsolved problem associated with this "though not fully solve"
statement.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2569
http://seclists.org/oss-sec/2016/q1/442

Comment 1 Swamp Workflow Management 2016-02-26 23:00:40 UTC

bugbot adjusting priority

Comment 7 Swamp Workflow Management 2016-08-09 15:13:24 UTC

SUSE-SU-2016:1996-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011
CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.27.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.27.1

Comment 8 Swamp Workflow Management 2016-08-09 15:29:20 UTC

SUSE-SU-2016:2008-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 902197,929493,938715,955783,959290,963539,968392,968393,968394,968395,973782,973783,976553,976556,979008,979009,979010,979011
CVE References: CVE-2015-3455,CVE-2015-5400,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    squid-3.3.14-20.2

Comment 9 Swamp Workflow Management 2016-08-16 13:10:05 UTC

openSUSE-SU-2016:2081-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 902197,929493,938715,955783,959290,963539,968392,968393,968394,968395,973782,973783,976553,976556,979008,979009,979010,979011
CVE References: CVE-2015-3455,CVE-2015-5400,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
openSUSE Leap 42.1 (src):    squid-3.3.14-6.1

Comment 10 Swamp Workflow Management 2016-08-16 16:09:49 UTC

SUSE-SU-2016:2089-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011,993299
CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.30.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.30.1

Comment 11 Marcus Meissner 2016-12-19 10:36:35 UTC

released

Comment 12 Swamp Workflow Management 2019-05-08 11:31:08 UTC

This is an autogenerated message for OBS integration:
This bug (968392) was mentioned in
https://build.opensuse.org/request/show/701549 Factory / squid