CVE-2016-2570

Priority
Low
Description
The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x
before 4.0.7 does not check buffer limits during XML parsing, which allows
remote HTTP servers to cause a denial of service (assertion failure and
daemon exit) via a crafted XML document, related to esi/CustomParser.cc and
esi/CustomParser.h.
References
Bugs
Notes
 mdeslaur> needs substantial backporting
 mdeslaur> There are no current plans to fix this CVE in Ubuntu 12.04 LTS
 mdeslaur> and Ubuntu 14.04 LTS.
Assigned-to
mdeslaur
Package
Upstream:released (3.5.15, 4.0.7)
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 LTS (Trusty Tahr):ignored
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.12-1ubuntu7.5)
Ubuntu 17.10 (Artful Aardvark):not-affected (3.5.23-5ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.5.23-5ubuntu1)
Patches:
Upstream:http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch
More Information

Updated: 2018-02-05 20:14:59 UTC (commit 14128)