Published: 10 May 2016
client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses.
CVSS 3 base score: 7.5
need to verify if ESI is enabled in package (see advisory)
3.1 not vulnerable to CVE-2016-4555, but is for CVE-2016-4556