ID CVE-2016-4556
Summary Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response.
References
Vulnerable Configurations
  • squid-cache.org Squid 3.5.17
    cpe:2.3:a:squid-cache:squid:3.5.17
  • squid-cache.org Squid 3.5.16
    cpe:2.3:a:squid-cache:squid:3.5.16
  • cpe:2.3:a:squid-cache:squid:3.5.15
    cpe:2.3:a:squid-cache:squid:3.5.15
  • cpe:2.3:a:squid-cache:squid:3.5.14
    cpe:2.3:a:squid-cache:squid:3.5.14
  • cpe:2.3:a:squid-cache:squid:3.5.13
    cpe:2.3:a:squid-cache:squid:3.5.13
  • cpe:2.3:a:squid-cache:squid:3.5.12
    cpe:2.3:a:squid-cache:squid:3.5.12
  • cpe:2.3:a:squid-cache:squid:3.5.11
    cpe:2.3:a:squid-cache:squid:3.5.11
  • cpe:2.3:a:squid-cache:squid:3.5.10
    cpe:2.3:a:squid-cache:squid:3.5.10
  • cpe:2.3:a:squid-cache:squid:3.5.9
    cpe:2.3:a:squid-cache:squid:3.5.9
  • cpe:2.3:a:squid-cache:squid:3.5.8
    cpe:2.3:a:squid-cache:squid:3.5.8
  • cpe:2.3:a:squid-cache:squid:3.5.7
    cpe:2.3:a:squid-cache:squid:3.5.7
  • cpe:2.3:a:squid-cache:squid:3.5.6
    cpe:2.3:a:squid-cache:squid:3.5.6
  • cpe:2.3:a:squid-cache:squid:3.5.5
    cpe:2.3:a:squid-cache:squid:3.5.5
  • cpe:2.3:a:squid-cache:squid:3.5.4
    cpe:2.3:a:squid-cache:squid:3.5.4
  • cpe:2.3:a:squid-cache:squid:3.5.3
    cpe:2.3:a:squid-cache:squid:3.5.3
  • squid-cache.org Squid 3.5.2
    cpe:2.3:a:squid-cache:squid:3.5.2
  • squid-cache.org Squid 3.5.1
    cpe:2.3:a:squid-cache:squid:3.5.1
  • squid-cache.org Squid 3.5.0.4
    cpe:2.3:a:squid-cache:squid:3.5.0.4
  • squid-cache.org Squid 3.5.0.3
    cpe:2.3:a:squid-cache:squid:3.5.0.3
  • squid-cache.org Squid 3.5.0.2
    cpe:2.3:a:squid-cache:squid:3.5.0.2
  • squid-cache.org Squid 3.5.0.1
    cpe:2.3:a:squid-cache:squid:3.5.0.1
  • squid-cache.org Squid 3.4.14
    cpe:2.3:a:squid-cache:squid:3.4.14
  • squid-cache.org Squid 3.4.9
    cpe:2.3:a:squid-cache:squid:3.4.9
  • squid-cache.org Squid 3.4.8
    cpe:2.3:a:squid-cache:squid:3.4.8
  • squid-cache.org Squid 3.4.4
    cpe:2.3:a:squid-cache:squid:3.4.4
  • squid-cache.org Squid 3.4.3
    cpe:2.3:a:squid-cache:squid:3.4.3
  • squid-cache.org Squid 3.4.2
    cpe:2.3:a:squid-cache:squid:3.4.2
  • squid-cache.org Squid 3.4.13
    cpe:2.3:a:squid-cache:squid:3.4.13
  • squid-cache.org Squid 3.4.12
    cpe:2.3:a:squid-cache:squid:3.4.12
  • squid-cache.org Squid 3.4.11
    cpe:2.3:a:squid-cache:squid:3.4.11
  • squid-cache.org Squid 3.4.10
    cpe:2.3:a:squid-cache:squid:3.4.10
  • squid-cache.org Squid 3.4.1
    cpe:2.3:a:squid-cache:squid:3.4.1
  • squid-cache.org Squid 3.4.4.2
    cpe:2.3:a:squid-cache:squid:3.4.4.2
  • squid-cache.org Squid 3.4.4.1
    cpe:2.3:a:squid-cache:squid:3.4.4.1
  • squid-cache.org Squid 3.4.0.3
    cpe:2.3:a:squid-cache:squid:3.4.0.3
  • squid-cache.org Squid 3.4.0.2
    cpe:2.3:a:squid-cache:squid:3.4.0.2
  • squid-cache.org Squid 3.4.0.1
    cpe:2.3:a:squid-cache:squid:3.4.0.1
  • squid-cache.org Squid 3.3.14
    cpe:2.3:a:squid-cache:squid:3.3.14
  • squid-cache.org Squid 3.3.9
    cpe:2.3:a:squid-cache:squid:3.3.9
  • squid-cache.org Squid 3.3.8
    cpe:2.3:a:squid-cache:squid:3.3.8
  • squid-cache.org Squid 3.3.7
    cpe:2.3:a:squid-cache:squid:3.3.7
  • squid-cache.org Squid 3.3.6
    cpe:2.3:a:squid-cache:squid:3.3.6
  • squid-cache.org Squid 3.3.5
    cpe:2.3:a:squid-cache:squid:3.3.5
  • squid-cache.org Squid 3.3.4
    cpe:2.3:a:squid-cache:squid:3.3.4
  • squid-cache.org Squid 3.3.3
    cpe:2.3:a:squid-cache:squid:3.3.3
  • squid-cache.org Squid 3.3.2
    cpe:2.3:a:squid-cache:squid:3.3.2
  • squid-cache.org Squid 3.3.13
    cpe:2.3:a:squid-cache:squid:3.3.13
  • squid-cache.org Squid 3.3.12
    cpe:2.3:a:squid-cache:squid:3.3.12
  • squid-cache.org Squid 3.3.11
    cpe:2.3:a:squid-cache:squid:3.3.11
  • squid-cache.org Squid 3.3.10
    cpe:2.3:a:squid-cache:squid:3.3.10
  • squid-cache.org Squid 3.3.1
    cpe:2.3:a:squid-cache:squid:3.3.1
  • cpe:2.3:a:squid-cache:squid:3.3.0.1
    cpe:2.3:a:squid-cache:squid:3.3.0.1
  • squid-cache.org Squid 3.3.0.3
    cpe:2.3:a:squid-cache:squid:3.3.0.3
  • squid-cache.org Squid 3.3.0.2
    cpe:2.3:a:squid-cache:squid:3.3.0.2
  • squid-cache.org Squid 3.3.0
    cpe:2.3:a:squid-cache:squid:3.3.0
  • squid-cache.org Squid 3.2.9
    cpe:2.3:a:squid-cache:squid:3.2.9
  • squid-cache.org Squid 3.2.8
    cpe:2.3:a:squid-cache:squid:3.2.8
  • squid-cache.org Squid 3.2.7
    cpe:2.3:a:squid-cache:squid:3.2.7
  • squid-cache.org Squid 3.2.6
    cpe:2.3:a:squid-cache:squid:3.2.6
  • squid-cache.org Squid 3.2.5
    cpe:2.3:a:squid-cache:squid:3.2.5
  • squid-cache.org Squid 3.2.4
    cpe:2.3:a:squid-cache:squid:3.2.4
  • squid-cache.org Squid 3.2.3
    cpe:2.3:a:squid-cache:squid:3.2.3
  • squid-cache.org Squid 3.2.2
    cpe:2.3:a:squid-cache:squid:3.2.2
  • squid-cache.org Squid 3.2.13
    cpe:2.3:a:squid-cache:squid:3.2.13
  • squid-cache.org Squid 3.2.12
    cpe:2.3:a:squid-cache:squid:3.2.12
  • squid-cache.org Squid 3.2.11
    cpe:2.3:a:squid-cache:squid:3.2.11
  • squid-cache.org Squid 3.2.10
    cpe:2.3:a:squid-cache:squid:3.2.10
  • squid-cache.org Squid 3.2.1
    cpe:2.3:a:squid-cache:squid:3.2.1
  • squid-cache.org Squid 3.2.0.9
    cpe:2.3:a:squid-cache:squid:3.2.0.9
  • squid-cache.org Squid 3.2.0.8
    cpe:2.3:a:squid-cache:squid:3.2.0.8
  • squid-cache.org Squid 3.2.0.7
    cpe:2.3:a:squid-cache:squid:3.2.0.7
  • squid-cache.org Squid 3.2.0.6
    cpe:2.3:a:squid-cache:squid:3.2.0.6
  • squid-cache.org Squid 3.2.0.5
    cpe:2.3:a:squid-cache:squid:3.2.0.5
  • squid-cache.org Squid 3.2.0.4
    cpe:2.3:a:squid-cache:squid:3.2.0.4
  • squid-cache.org Squid 3.2.0.3
    cpe:2.3:a:squid-cache:squid:3.2.0.3
  • squid-cache.org Squid 3.2.0.2
    cpe:2.3:a:squid-cache:squid:3.2.0.2
  • squid-cache.org Squid 3.2.0.19
    cpe:2.3:a:squid-cache:squid:3.2.0.19
  • squid-cache.org Squid 3.2.0.18
    cpe:2.3:a:squid-cache:squid:3.2.0.18
  • squid-cache.org Squid 3.2.0.17
    cpe:2.3:a:squid-cache:squid:3.2.0.17
  • squid-cache.org Squid 3.2.0.16
    cpe:2.3:a:squid-cache:squid:3.2.0.16
  • squid-cache.org Squid 3.2.0.15
    cpe:2.3:a:squid-cache:squid:3.2.0.15
  • squid-cache.org Squid 3.2.0.14
    cpe:2.3:a:squid-cache:squid:3.2.0.14
  • squid-cache.org Squid 3.2.0.13
    cpe:2.3:a:squid-cache:squid:3.2.0.13
  • squid-cache.org Squid 3.2.0.12
    cpe:2.3:a:squid-cache:squid:3.2.0.12
  • squid-cache.org Squid 3.2.0.11
    cpe:2.3:a:squid-cache:squid:3.2.0.11
  • squid-cache.org Squid 3.2.0.10
    cpe:2.3:a:squid-cache:squid:3.2.0.10
  • squid-cache.org Squid 3.2.0.1
    cpe:2.3:a:squid-cache:squid:3.2.0.1
  • cpe:2.3:a:squid-cache:squid:3.1.22
    cpe:2.3:a:squid-cache:squid:3.1.22
  • cpe:2.3:a:squid-cache:squid:3.1.21
    cpe:2.3:a:squid-cache:squid:3.1.21
  • cpe:2.3:a:squid-cache:squid:3.1.20
    cpe:2.3:a:squid-cache:squid:3.1.20
  • cpe:2.3:a:squid-cache:squid:3.1.19
    cpe:2.3:a:squid-cache:squid:3.1.19
  • cpe:2.3:a:squid-cache:squid:3.1.18
    cpe:2.3:a:squid-cache:squid:3.1.18
  • cpe:2.3:a:squid-cache:squid:3.1.17
    cpe:2.3:a:squid-cache:squid:3.1.17
  • cpe:2.3:a:squid-cache:squid:3.1.16
    cpe:2.3:a:squid-cache:squid:3.1.16
  • squid-cache.org Squid 3.1.9
    cpe:2.3:a:squid-cache:squid:3.1.9
  • squid-cache.org Squid 3.1.8
    cpe:2.3:a:squid-cache:squid:3.1.8
  • squid-cache.org Squid 3.1.7
    cpe:2.3:a:squid-cache:squid:3.1.7
  • squid-cache.org Squid 3.1.6
    cpe:2.3:a:squid-cache:squid:3.1.6
  • squid-cache.org Squid 3.1.5.1
    cpe:2.3:a:squid-cache:squid:3.1.5.1
  • squid-cache.org Squid 3.1.5
    cpe:2.3:a:squid-cache:squid:3.1.5
  • squid-cache.org Squid 3.1.4
    cpe:2.3:a:squid-cache:squid:3.1.4
  • squid-cache.org Squid 3.1.3
    cpe:2.3:a:squid-cache:squid:3.1.3
  • squid-cache.org Squid 3.1.2
    cpe:2.3:a:squid-cache:squid:3.1.2
  • squid-cache.org Squid 3.1.15
    cpe:2.3:a:squid-cache:squid:3.1.15
  • squid-cache.org Squid 3.1.14
    cpe:2.3:a:squid-cache:squid:3.1.14
  • squid-cache.org Squid 3.1.13
    cpe:2.3:a:squid-cache:squid:3.1.13
  • squid-cache.org Squid 3.1.12
    cpe:2.3:a:squid-cache:squid:3.1.12
  • squid-cache.org Squid 3.1.11
    cpe:2.3:a:squid-cache:squid:3.1.11
  • squid-cache.org Squid 3.1.10
    cpe:2.3:a:squid-cache:squid:3.1.10
  • squid-cache.org Squid 3.1.1
    cpe:2.3:a:squid-cache:squid:3.1.1
  • squid-cache.org Squid 3.1.12.3
    cpe:2.3:a:squid-cache:squid:3.1.12.3
  • squid-cache.org Squid 3.1.12.2
    cpe:2.3:a:squid-cache:squid:3.1.12.2
  • squid-cache.org Squid 3.1.12.1
    cpe:2.3:a:squid-cache:squid:3.1.12.1
  • squid-cache.org Squid 3.1.0.9
    cpe:2.3:a:squid-cache:squid:3.1.0.9
  • squid-cache.org Squid 3.1.0.8
    cpe:2.3:a:squid-cache:squid:3.1.0.8
  • squid-cache.org Squid 3.1.0.7
    cpe:2.3:a:squid-cache:squid:3.1.0.7
  • squid-cache.org Squid 3.1.0.6
    cpe:2.3:a:squid-cache:squid:3.1.0.6
  • squid-cache.org Squid 3.1.0.5
    cpe:2.3:a:squid-cache:squid:3.1.0.5
  • squid-cache.org Squid 3.1.0.4
    cpe:2.3:a:squid-cache:squid:3.1.0.4
  • squid-cache.org Squid 3.1.0.3
    cpe:2.3:a:squid-cache:squid:3.1.0.3
  • squid-cache.org Squid 3.1.0.2
    cpe:2.3:a:squid-cache:squid:3.1.0.2
  • squid-cache.org Squid 3.1.0.18
    cpe:2.3:a:squid-cache:squid:3.1.0.18
  • squid-cache.org Squid 3.1.0.17
    cpe:2.3:a:squid-cache:squid:3.1.0.17
  • squid-cache.org Squid 3.1.0.16
    cpe:2.3:a:squid-cache:squid:3.1.0.16
  • squid-cache.org Squid 3.1.0.15
    cpe:2.3:a:squid-cache:squid:3.1.0.15
  • squid-cache.org Squid 3.1.0.14
    cpe:2.3:a:squid-cache:squid:3.1.0.14
  • squid-cache.org Squid 3.1.0.13
    cpe:2.3:a:squid-cache:squid:3.1.0.13
  • squid-cache.org Squid 3.1.0.12
    cpe:2.3:a:squid-cache:squid:3.1.0.12
  • squid-cache.org Squid 3.1.0.11
    cpe:2.3:a:squid-cache:squid:3.1.0.11
  • squid-cache.org Squid 3.1.0.10
    cpe:2.3:a:squid-cache:squid:3.1.0.10
  • squid-cache.org Squid 3.1.0.1
    cpe:2.3:a:squid-cache:squid:3.1.0.1
  • squid-cache.org Squid 3.1
    cpe:2.3:a:squid-cache:squid:3.1
  • squid-cache.org Squid 3.0
    cpe:2.3:a:squid-cache:squid:3.0
  • squid-cache.org Squid 4.0.9
    cpe:2.3:a:squid-cache:squid:4.0.9
  • squid-cache.org Squid 4.0.8
    cpe:2.3:a:squid-cache:squid:4.0.8
  • cpe:2.3:a:squid-cache:squid:4.0.7
    cpe:2.3:a:squid-cache:squid:4.0.7
  • squid-cache.org Squid 4.0.6
    cpe:2.3:a:squid-cache:squid:4.0.6
  • squid-cache.org Squid 4.0.5
    cpe:2.3:a:squid-cache:squid:4.0.5
  • squid-cache.org Squid 4.0.4
    cpe:2.3:a:squid-cache:squid:4.0.4
  • squid-cache.org Squid 4.0.3
    cpe:2.3:a:squid-cache:squid:4.0.3
  • squid-cache.org Squid 4.0.2
    cpe:2.3:a:squid-cache:squid:4.0.2
  • squid-cache.org Squid 4.0.1
    cpe:2.3:a:squid-cache:squid:4.0.1
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7.0
  • Oracle Linux 6.0
    cpe:2.3:o:oracle:linux:6.0
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
CVSS
Base: 5.0 (as of 04-10-2016 - 15:15)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
redhat via4
advisories
  • bugzilla
    id 1334786
    title CVE-2016-4556 squid: SIGSEGV in ESIContext response handling
    oval
    AND
    • comment squid is earlier than 7:3.1.23-16.el6_8.4
      oval oval:com.redhat.rhsa:tst:20161138005
    • comment squid is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20110545006
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    rhsa
    id RHSA-2016:1138
    released 2016-05-31
    severity Moderate
    title RHSA-2016:1138: squid security update (Moderate)
  • bugzilla
    id 1334786
    title CVE-2016-4556 squid: SIGSEGV in ESIContext response handling
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment squid is earlier than 7:3.3.8-26.el7_2.3
          oval oval:com.redhat.rhsa:tst:20161139007
        • comment squid is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110545006
      • AND
        • comment squid-sysvinit is earlier than 7:3.3.8-26.el7_2.3
          oval oval:com.redhat.rhsa:tst:20161139005
        • comment squid-sysvinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141147008
    rhsa
    id RHSA-2016:1139
    released 2016-05-31
    severity Moderate
    title RHSA-2016:1139: squid security update (Moderate)
  • bugzilla
    id 1334786
    title CVE-2016-4556 squid: SIGSEGV in ESIContext response handling
    oval
    AND
    • comment squid34 is earlier than 7:3.4.14-9.el6_8.3
      oval oval:com.redhat.rhsa:tst:20161140005
    • comment squid34 is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20161140006
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    rhsa
    id RHSA-2016:1140
    released 2016-05-31
    severity Moderate
    title RHSA-2016:1140: squid34 security update (Moderate)
rpms
  • squid-7:3.1.23-16.el6_8.4
  • squid-7:3.3.8-26.el7_2.3
  • squid-sysvinit-7:3.3.8-26.el7_2.3
  • squid34-7:3.4.14-9.el6_8.3
refmap via4
confirm
debian DSA-3625
gentoo GLSA-201607-01
mlist
  • [oss-security] 20160506 CVE Request: Squid HTTP caching proxy
  • [oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy
sectrack 1035770
suse
  • SUSE-SU-2016:1996
  • SUSE-SU-2016:2089
  • openSUSE-SU-2016:2081
ubuntu USN-2995-1
Last major update 29-11-2016 - 22:07
Published 10-05-2016 - 15:59
Back to Top