{ "threat_severity" : "Moderate", "public_date" : "2016-04-20T00:00:00Z", "bugzilla" : { "description" : "squid: multiple issues in ESI processing", "id" : "1329136", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1329136" }, "cvss" : { "cvss_base_score" : "5.1", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization.", "Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1138", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "squid-7:3.1.23-16.el6_8.4" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1140", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "squid34-7:3.4.14-9.el6_8.3" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1139", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "squid-7:3.3.8-26.el7_2.3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "squid", "cpe" : "cpe:/o:redhat:enterprise_linux:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4053\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4053\nhttp://www.squid-cache.org/Advisories/SQUID-2016_6.txt" ], "name" : "CVE-2016-4053", "csaw" : false }