CVE-2016-2570

Priority
Low
Description
The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x
before 4.0.7 does not check buffer limits during XML parsing, which allows
remote HTTP servers to cause a denial of service (assertion failure and
daemon exit) via a crafted XML document, related to esi/CustomParser.cc and
esi/CustomParser.h.
References
Bugs
Notes
 mdeslaur> needs substantial backporting
 mdeslaur> There are no current plans to fix this CVE in Ubuntu 12.04 LTS
 mdeslaur> and Ubuntu 14.04 LTS.
Package
Upstream:released (3.5.15, 4.0.7)
Ubuntu 17.10 (Artful Aardvark):needed
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 LTS (Trusty Tahr):ignored
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
Patches:
Upstream:http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch
More Information

Updated: 2017-10-23 12:23:53 UTC (commit 13562)