CVE-2016-2390

The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
squid-cachesquid
𝑥
≤ 3.5.13
squid-cachesquid
4.0.4
squid-cachesquid
4.0.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bullseye (security)
4.13-10+deb11u3
fixed
bullseye
4.13-10+deb11u3
fixed
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
sid
6.12-1
fixed
trixie
6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid3
wily
not-affected
vivid
not-affected
trusty
dne
precise
not-affected
Common Weakness Enumeration
References
http://bugs.squid-cache.org/show_bug.cgi?id=4437
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html
http://www.securitytracker.com/id/1035045
http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
http://bugs.squid-cache.org/show_bug.cgi?id=4437
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html
http://www.securitytracker.com/id/1035045
http://www.squid-cache.org/Advisories/SQUID-2016_1.txt