An update for squid is now available for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Squid is a high-performance proxy caching server for web clients, supportingFTP, Gopher, and HTTP data objects.Security Fix(es):* It was found that the fix for CVE-2016-4051 released via RHSA-2016:1138 didnot properly prevent the stack overflow in the munge_other_line() function.

Aremote attacker could send specially crafted data to the Squid proxy, whichwould exploit the cachemgr CGI utility, possibly triggering execution ofarbitrary code. (CVE-2016-5408)Red Hat would like to thank Amos Jeffries (Squid) for reporting this issue.
For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258After installing this update, the squid service will be restarted automatically.Red Hat Enterprise Linux Server (v. 6)

SRPMS:
squid-3.1.23-16.el6_8.6.src.rpm
    MD5: 93a7be795ed7258cb2a6d506b30f30d6SHA-256: 66849ab53a85e92201f963d66fe422390e051478ffba871791f3e5b8a8775b91
 
IA-32:
squid-3.1.23-16.el6_8.6.i686.rpm
    MD5: 45f90b79981e34ca100614fec29b7bbbSHA-256: cbb990f756cf6089d4762de7b8bc6fa44f070d7a4d2fa4db771ab0210984f4dc
squid-debuginfo-3.1.23-16.el6_8.6.i686.rpm
    MD5: ab6e8a685ad3218f3802cf7409c8fa38SHA-256: 72f4beab1bf57036a6463b651b943dab272450fc6def769e81ed391612ffb889
 
PPC:
squid-3.1.23-16.el6_8.6.ppc64.rpm
    MD5: 6a6ba92c00d44f52ee7cc1d3e141d08cSHA-256: 501f7c6de6a195a7dc8ad4614c151154a40c599e61803701fda48ba27ee2c0fe
squid-debuginfo-3.1.23-16.el6_8.6.ppc64.rpm
    MD5: ec4c058992f82f551677ee5fd224b9baSHA-256: efb553597962d411a3bf7ffb4fcd209b102c78a1827a5c55a5a5164910d97fee
 
s390x:
squid-3.1.23-16.el6_8.6.s390x.rpm
    MD5: 13c4024ea6585c5ad3f8b234e48e434eSHA-256: 248a2c46563be2760309d0d3dda4fbd44ea7cee9ac712a934139bcecb75ddca4
squid-debuginfo-3.1.23-16.el6_8.6.s390x.rpm
    MD5: b6b838c13ff3915864f03a16c4d6e5eaSHA-256: e162dd6d854397d873de6280b94f6730b6f388d4da165cb0c4937454d8173d7e
 
x86_64:
squid-3.1.23-16.el6_8.6.x86_64.rpm
    MD5: 39d1033d364d2ea19dee399d7d8001feSHA-256: c0bd443a383ab8f52b7d054b2f68458f15259b3fa2e0279834ca5e13dbd088c5
squid-debuginfo-3.1.23-16.el6_8.6.x86_64.rpm
    MD5: 20cad0c4f6ba471faaebe80c0090d7b8SHA-256: 2a230adf5219bac0d6feb1bf36c0776a25d712cbdf04030e377e858cf559d186
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
squid-3.1.23-16.el6_8.6.src.rpm
    MD5: 93a7be795ed7258cb2a6d506b30f30d6SHA-256: 66849ab53a85e92201f963d66fe422390e051478ffba871791f3e5b8a8775b91
 
IA-32:
squid-3.1.23-16.el6_8.6.i686.rpm
    MD5: 45f90b79981e34ca100614fec29b7bbbSHA-256: cbb990f756cf6089d4762de7b8bc6fa44f070d7a4d2fa4db771ab0210984f4dc
squid-debuginfo-3.1.23-16.el6_8.6.i686.rpm
    MD5: ab6e8a685ad3218f3802cf7409c8fa38SHA-256: 72f4beab1bf57036a6463b651b943dab272450fc6def769e81ed391612ffb889
 
x86_64:
squid-3.1.23-16.el6_8.6.x86_64.rpm
    MD5: 39d1033d364d2ea19dee399d7d8001feSHA-256: c0bd443a383ab8f52b7d054b2f68458f15259b3fa2e0279834ca5e13dbd088c5
squid-debuginfo-3.1.23-16.el6_8.6.x86_64.rpm
    MD5: 20cad0c4f6ba471faaebe80c0090d7b8SHA-256: 2a230adf5219bac0d6feb1bf36c0776a25d712cbdf04030e377e858cf559d186
 
(The unlinked packages above are only available from the Red Hat Network)

1359203 – CVE-2016-5408 squid: Buffer overflow vulnerability in cachemgr.cgi tool

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply