Publishing details


squid3 (3.5.12-1ubuntu7.5) xenial-security; urgency=medium

  * SECURITY UPDATE: various denial of service issues
    - debian/patches/CVE-2016-25xx-1.patch: better handling of huge
      response headers in src/
    - debian/patches/CVE-2016-25xx-2.patch: throw instead of asserting on
      some String overflows in src/SquidString.h, src/,
      src/, src/clients/, src/clients/Client.h,
      src/clients/, src/
    - debian/patches/CVE-2016-25xx-3.patch: fix assertion in custom ESI
      parser in src/esi/, src/esi/CustomParser.h.
    - debian/patches/CVE-2016-25xx-4.patch: fix assertion in
      src/, src/FwdState.h, src/clients/Client.h, src/,
      src/comm.h, src/
    - CVE-2016-2569
    - CVE-2016-2570
    - CVE-2016-2571
  * SECURITY UPDATE: denial of service via crafted HTTP response
    - debian/patches/CVE-2016-3948.patch: convert Vary handling to SBuf in
      src/, src/HttpRequest.h, src/,
      src/MemObject.h, src/, src/,
      src/, src/, src/,
      src/http.h, src/, src/,
      src/, src/tests/,
    - CVE-2016-3948
  * SECURITY UPDATE: denial of service in ESI Response processing
    - debian/patches/CVE-2018-1000024.patch: make sure endofName never
      exceeds tagEnd in src/esi/
    - CVE-2018-1000024
  * SECURITY UPDATE: denial of service in in HTTP Message processing
    - debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
      transactions without a client connection in
    - CVE-2018-1000027

 -- Marc Deslauriers <email address hidden>  Thu, 01 Feb 2018 09:56:31 -0500

Available diffs


Built packages

Package files