Candidate: CVE-2016-2572
PublicDate: 2016-02-27 05:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2572
 http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
Description:
 http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a
 response-parsing failure, which allows remote HTTP servers to cause a
 denial of service (assertion failure and daemon exit) via a malformed
 response.
Ubuntu-Description:
Notes:
 mdeslaur> This CVE is only for the 'Do not use parsing leftovers, such as
 mdeslaur> HTTP response status code' part of the squid-4-14548.patch
 mdeslaur> patch. As such, it is 4.x only.
Bugs:
Priority: medium
Discovered-by: Alex Rousskov
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_squid3:
upstream_squid3: released (3.5.15, 4.0.7)
precise_squid3: not-affected (3.1.19-1ubuntu3.12.04.4)
trusty_squid3: not-affected (3.3.8-1ubuntu6.4)
trusty/esm_squid3: DNE (trusty was not-affected [3.3.8-1ubuntu6.4])
vivid/ubuntu-core_squid3: DNE
vivid/stable-phone-overlay_squid3: DNE
wily_squid3: not-affected (3.3.8-1ubuntu16)
devel_squid3: not-affected (3.3.8-1ubuntu17)