The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h.
{ "binaries": [ { "binary_version": "3.5.12-1ubuntu7.5", "binary_name": "squid" }, { "binary_version": "3.5.12-1ubuntu7.5", "binary_name": "squid-cgi" }, { "binary_version": "3.5.12-1ubuntu7.5", "binary_name": "squid-common" }, { "binary_version": "3.5.12-1ubuntu7.5", "binary_name": "squid-purge" }, { "binary_version": "3.5.12-1ubuntu7.5", "binary_name": "squid3" }, { "binary_version": "3.5.12-1ubuntu7.5", "binary_name": "squidclient" } ], "availability": "No subscription required" }