An update for squid is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Squid is a high-performance proxy caching server for web clients, supportingFTP, Gopher, and HTTP data objects.Security Fix(es):* A buffer overflow flaw was found in the way the Squid cachemgr.cgi utilityprocessed remotely relayed Squid input. When the CGI interface utility is used,a remote attacker could possibly use this flaw to execute arbitrary code.(CVE-2016-4051)* Buffer overflow and input validation flaws were found in the way Squidprocessed ESI responses.
If Squid was used as a reverse proxy, or for TLS/HTTPSinterception, a remote attacker able to control ESI components on an HTTP servercould use these flaws to crash Squid, disclose parts of the stack memory, orpossibly execute arbitrary code as the user running Squid. (CVE-2016-4052,CVE-2016-4053, CVE-2016-4054)* An input validation flaw was found in the way Squid handled intercepted HTTPRequest messages.

An attacker could use this flaw to bypass the protectionagainst issues related to CVE-2009-0801, and perform cache poisoning attacks onSquid. (CVE-2016-4553)* An input validation flaw was found in Squid’s mime_get_header_field()function, which is used to search for headers within HTTP requests.

An attackercould send an HTTP request from the client side with specially crafted headerHost header that bypasses same-origin security protections, causing Squidoperating as interception or reverse-proxy to contact the wrong origin server.It could also be used for cache poisoning for client not following RFC 7230.(CVE-2016-4554)* A NULL pointer dereference flaw was found in the way Squid processes ESIresponses.
If Squid was used as a reverse proxy or for TLS/HTTPS interception, amalicious server could use this flaw to crash the Squid worker process.(CVE-2016-4555)* An incorrect reference counting flaw was found in the way Squid processes ESIresponses.
If Squid is configured as reverse-proxy, for TLS/HTTPS interception,an attacker controlling a server accessed by Squid, could crash the squidworker, causing a Denial of Service attack. (CVE-2016-4556)
For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258After installing this update, the squid service will be restarted automatically.Red Hat Enterprise Linux Server (v. 7)

SRPMS:
squid-3.3.8-26.el7_2.3.src.rpm
    MD5: d289a736ef90d329409305438df33028SHA-256: 323080ebea5bb45838d65a6f261ace6a859f1ebabafd96dac0897768fd93a731
 
PPC:
squid-3.3.8-26.el7_2.3.ppc64.rpm
    MD5: c8ecc27f69804a8401c52bd068817d3eSHA-256: a3a7119801ce35e864de01ef3afded82be890193bc915343d143a1e1aa8f09e7
squid-debuginfo-3.3.8-26.el7_2.3.ppc64.rpm
    MD5: 8c8c2d486aead67584576d6328bad7dbSHA-256: 53887e89f1110341043b1ff2591a20c891e3ce631fa27da77d7cbb855d06c7ee
squid-sysvinit-3.3.8-26.el7_2.3.ppc64.rpm
    MD5: 75301f542f9639bbf0c1b0937085de61SHA-256: 288f81a8b9edb5fc2cb0465a55ca4fb45ca21bb08b6a89c024d505e663c5dcc7
 
PPC64LE:
squid-3.3.8-26.el7_2.3.ppc64le.rpm
    MD5: a888ff9d1aacebc5787aca35e40f399eSHA-256: 07384219488f1346c24f606ed0e41bf3be2c59ba36d3001b5cfcda06ab5ed448
squid-debuginfo-3.3.8-26.el7_2.3.ppc64le.rpm
    MD5: c8cb5184ada4d3bfccc31a950e7f6d29SHA-256: fec847445850855e454d647f42f539fa267dbb0bc8208ad608e12bad2b2cd629
squid-sysvinit-3.3.8-26.el7_2.3.ppc64le.rpm
    MD5: 450c218ed71225d45d3c18a1dce82662SHA-256: 0cbcd4944a41a304b7ecd414bdf9d80204fac3f3a52636f70fbac4cd884ce44f
 
s390x:
squid-3.3.8-26.el7_2.3.s390x.rpm
    MD5: 7d9f19ef992f7ba8e1bfd8c974b5b4f6SHA-256: 6fe44dad5686a05c6642b15610e0d159bb99ac996d5171156805fb07fb8a7e25
squid-debuginfo-3.3.8-26.el7_2.3.s390x.rpm
    MD5: 624e396c3500eedbbe0d5eb6a9c99c38SHA-256: 2cd4ec3ad5a74f6f8e28972f39743c8af8de395c7bf05510ec30d1067f5f0ed2
squid-sysvinit-3.3.8-26.el7_2.3.s390x.rpm
    MD5: 35616230b2776cd851d8975b83daeefeSHA-256: 2022504d2f068c903d1a9987034241c8d342c41529141368dc03461eef57c6f7
 
x86_64:
squid-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 1342ee3d58a52a0f2dc73a6707ce1aa3SHA-256: 05e3fb84159948aa9c1fdbf64e1ecbd6ae7a15fa2806c970b19389f12d42c891
squid-debuginfo-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 45939e9daea1efc24b54825ae84fd7f2SHA-256: 34b44346c0039af4db1baba8b5e957833c55efc2f7710c425cbcd76a36065dbb
squid-sysvinit-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 43efaa01ca4946c8370aa4d3132ad5d9SHA-256: b5793250eeb13fb353887d945a4496bef234ef02647b849e4252cccf19b66242
 
Red Hat Enterprise Linux Server AUS (v. 7.2)

SRPMS:
squid-3.3.8-26.el7_2.3.src.rpm
    MD5: d289a736ef90d329409305438df33028SHA-256: 323080ebea5bb45838d65a6f261ace6a859f1ebabafd96dac0897768fd93a731
 
x86_64:
squid-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 1342ee3d58a52a0f2dc73a6707ce1aa3SHA-256: 05e3fb84159948aa9c1fdbf64e1ecbd6ae7a15fa2806c970b19389f12d42c891
squid-debuginfo-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 45939e9daea1efc24b54825ae84fd7f2SHA-256: 34b44346c0039af4db1baba8b5e957833c55efc2f7710c425cbcd76a36065dbb
squid-sysvinit-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 43efaa01ca4946c8370aa4d3132ad5d9SHA-256: b5793250eeb13fb353887d945a4496bef234ef02647b849e4252cccf19b66242
 
Red Hat Enterprise Linux Server EUS (v. 7.2)

SRPMS:
squid-3.3.8-26.el7_2.3.src.rpm
    MD5: d289a736ef90d329409305438df33028SHA-256: 323080ebea5bb45838d65a6f261ace6a859f1ebabafd96dac0897768fd93a731
 
PPC:
squid-3.3.8-26.el7_2.3.ppc64.rpm
    MD5: c8ecc27f69804a8401c52bd068817d3eSHA-256: a3a7119801ce35e864de01ef3afded82be890193bc915343d143a1e1aa8f09e7
squid-debuginfo-3.3.8-26.el7_2.3.ppc64.rpm
    MD5: 8c8c2d486aead67584576d6328bad7dbSHA-256: 53887e89f1110341043b1ff2591a20c891e3ce631fa27da77d7cbb855d06c7ee
squid-sysvinit-3.3.8-26.el7_2.3.ppc64.rpm
    MD5: 75301f542f9639bbf0c1b0937085de61SHA-256: 288f81a8b9edb5fc2cb0465a55ca4fb45ca21bb08b6a89c024d505e663c5dcc7
 
PPC64LE:
squid-3.3.8-26.el7_2.3.ppc64le.rpm
    MD5: a888ff9d1aacebc5787aca35e40f399eSHA-256: 07384219488f1346c24f606ed0e41bf3be2c59ba36d3001b5cfcda06ab5ed448
squid-debuginfo-3.3.8-26.el7_2.3.ppc64le.rpm
    MD5: c8cb5184ada4d3bfccc31a950e7f6d29SHA-256: fec847445850855e454d647f42f539fa267dbb0bc8208ad608e12bad2b2cd629
squid-sysvinit-3.3.8-26.el7_2.3.ppc64le.rpm
    MD5: 450c218ed71225d45d3c18a1dce82662SHA-256: 0cbcd4944a41a304b7ecd414bdf9d80204fac3f3a52636f70fbac4cd884ce44f
 
s390x:
squid-3.3.8-26.el7_2.3.s390x.rpm
    MD5: 7d9f19ef992f7ba8e1bfd8c974b5b4f6SHA-256: 6fe44dad5686a05c6642b15610e0d159bb99ac996d5171156805fb07fb8a7e25
squid-debuginfo-3.3.8-26.el7_2.3.s390x.rpm
    MD5: 624e396c3500eedbbe0d5eb6a9c99c38SHA-256: 2cd4ec3ad5a74f6f8e28972f39743c8af8de395c7bf05510ec30d1067f5f0ed2
squid-sysvinit-3.3.8-26.el7_2.3.s390x.rpm
    MD5: 35616230b2776cd851d8975b83daeefeSHA-256: 2022504d2f068c903d1a9987034241c8d342c41529141368dc03461eef57c6f7
 
x86_64:
squid-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 1342ee3d58a52a0f2dc73a6707ce1aa3SHA-256: 05e3fb84159948aa9c1fdbf64e1ecbd6ae7a15fa2806c970b19389f12d42c891
squid-debuginfo-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 45939e9daea1efc24b54825ae84fd7f2SHA-256: 34b44346c0039af4db1baba8b5e957833c55efc2f7710c425cbcd76a36065dbb
squid-sysvinit-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 43efaa01ca4946c8370aa4d3132ad5d9SHA-256: b5793250eeb13fb353887d945a4496bef234ef02647b849e4252cccf19b66242
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
squid-3.3.8-26.el7_2.3.src.rpm
    MD5: d289a736ef90d329409305438df33028SHA-256: 323080ebea5bb45838d65a6f261ace6a859f1ebabafd96dac0897768fd93a731
 
x86_64:
squid-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 1342ee3d58a52a0f2dc73a6707ce1aa3SHA-256: 05e3fb84159948aa9c1fdbf64e1ecbd6ae7a15fa2806c970b19389f12d42c891
squid-debuginfo-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 45939e9daea1efc24b54825ae84fd7f2SHA-256: 34b44346c0039af4db1baba8b5e957833c55efc2f7710c425cbcd76a36065dbb
squid-sysvinit-3.3.8-26.el7_2.3.x86_64.rpm
    MD5: 43efaa01ca4946c8370aa4d3132ad5d9SHA-256: b5793250eeb13fb353887d945a4496bef234ef02647b849e4252cccf19b66242
 
(The unlinked packages above are only available from the Red Hat Network)

1329126 – CVE-2016-4051 squid: buffer overflow in cachemgr.cgi1329136 – CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 squid: multiple issues in ESI processing1334233 – CVE-2016-4553 squid: Cache poisoning issue in HTTP Request handling1334241 – CVE-2016-4554 squid: Header Smuggling issue in HTTP Request processing1334246 – CVE-2016-4555 squid: SegFault from ESIInclude::Start1334786 – CVE-2016-4556 squid: SIGSEGV in ESIContext response handling

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: