Date: Sun, 28 Feb 2016 00:50:12 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r409709 - head/security/vuxml Message-ID: <201602280050.u1S0oCPA005846@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Sun Feb 28 00:50:12 2016 New Revision: 409709 URL: https://svnweb.freebsd.org/changeset/ports/409709 Log: Revise Squid entry with CVE assignment and SQUID-2016:2 advisory reference PR: 207454 Reported by: Pavel Timofeev <timp87@gmail.com> Security: CVE-2016-2569 Security: CVE-2016-2570 Security: CVE-2016-2571 Security: https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Feb 28 00:48:27 2016 (r409708) +++ head/security/vuxml/vuln.xml Sun Feb 28 00:50:12 2016 (r409709) @@ -418,25 +418,31 @@ Notes: </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Amos Jeffries reports:</p> - <blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/24/12">; - <p>The proxy contains a String object class with 64KB content limits. - Some code paths do not bounds check before appending to these - String and overflow leads to an assertion which terminates all - client transactions using the proxy, including those unrelated to - the limit being exceeded.</p> - <p>Error handling for malformed HTTP responses can lead to a second - assertion with the same effects as the first issue.</p> + <p>Squid security advisory 2016:2 reports:</p> + <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt">; + <p>Due to incorrect bounds checking Squid is vulnerable to a denial + of service attack when processing HTTP responses.</p> + <p>These problems allow remote servers delivering certain unusual + HTTP response syntax to trigger a denial of service for all + clients accessing the Squid service.</p> + <p>HTTP responses containing malformed headers that trigger this + issue are becoming common. We are not certain at this time if + that is a sign of malware or just broken server scripting.</p> </blockquote> </body> </description> <references> + <cvename>CVE-2016-2569</cvename> + <cvename>CVE-2016-2570</cvename> + <cvename>CVE-2016-2571</cvename> <freebsdpr>ports/207454</freebsdpr> + <url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url>; <url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url>; </references> <dates> <discovery>2016-02-24</discovery> <entry>2016-02-24</entry> + <modified>2016-02-28</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602280050.u1S0oCPA005846>