squid3 - security update

Several security issues have been discovered in the Squid caching proxy.

• CVE-2016-4051:

CESG and Yuriy M. Kaminskiy discovered that Squid cachemgr.cgi was
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed through Squid.

• CVE-2016-4052:

CESG discovered that a buffer overflow made Squid vulnerable to a
Denial of Service (DoS) attack when processing ESI responses.

• CVE-2016-4053:

CESG found that Squid was vulnerable to public information
disclosure of the server stack layout when processing ESI responses.

• CVE-2016-4054:

CESG discovered that Squid was vulnerable to remote code execution
when processing ESI responses.

• CVE-2016-4554:

Jianjun Chen found that Squid was vulnerable to a header smuggling
attack that could lead to cache poisoning and to bypass of
same-origin security policy in Squid and some client browsers.

• CVE-2016-4555,
  CVE-2016-4556:

“bfek-18” and “@vftable” found that Squid was vulnerable to a Denial
of Service (DoS) attack when processing ESI responses, due to
incorrect pointer handling and reference counting.

For the stable distribution (jessie), these problems have been fixed in
version 3.4.8-6+deb8u3.

For the testing (stretch) and unstable (sid) distributions, these
problems have been fixed in version 3.5.19-1.

We recommend that you upgrade your squid3 packages.