{ "threat_severity" : "Moderate", "public_date" : "2016-04-20T00:00:00Z", "bugzilla" : { "description" : "squid: multiple issues in ESI processing", "id" : "1329136", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1329136" }, "cvss" : { "cvss_base_score" : "5.1", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.", "Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1138", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "squid-7:3.1.23-16.el6_8.4" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1140", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "squid34-7:3.4.14-9.el6_8.3" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1139", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "squid-7:3.3.8-26.el7_2.3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "squid", "cpe" : "cpe:/o:redhat:enterprise_linux:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4054\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4054\nhttp://www.squid-cache.org/Advisories/SQUID-2016_6.txt" ], "name" : "CVE-2016-4054", "csaw" : false }