CVE-2016-4051

Name	CVE-2016-4051
Description	Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-478-1, DSA-3625-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
squid (PTS)	buster (security), buster, buster (lts)	4.6-1+deb10u10	fixed
	bullseye (security), bullseye	4.13-10+deb11u3	fixed
	bookworm (security), bookworm	5.7-2+deb12u2	fixed
	sid, trixie	6.12-1	fixed
squid3 (PTS)	jessie, jessie (lts)	3.5.23-5+deb8u7	fixed
	stretch (security)	3.5.23-5+deb9u7	fixed
	stretch (lts), stretch	3.5.23-5+deb9u10	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
squid	source	wheezy	(not affected)
squid	source	(unstable)	4.1-1
squid3	source	wheezy	3.1.20-2.2+deb7u5	DLA-478-1
squid3	source	jessie	3.4.8-6+deb8u3	DSA-3625-1
squid3	source	(unstable)	3.5.17-1

Notes

[wheezy] - squid <not-affected> (cachemgr.cgi not installed. squid-cgi binary package built from squid3)
http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch (Squid 3.2)
http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch (Squid 3.3)
http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch (Squid 3.4)
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch (Squid 3.5)
Fixed in wheezy by DLA-556-1, c.f. CVE-2016-5408