An update for squid34 is now available for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
The squid34 packages provide version 3.4 of Squid, a high-performance proxycaching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* It was found that squid did not properly remove connection specific headerswhen answering conditional requests using a cached request.

A remote attackercould send a specially crafted request to an HTTP server via the squid proxy andsteal private data from other connections. (CVE-2016-10002)
For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258After installing this update, the squid service will be restarted automatically.Red Hat Enterprise Linux Server (v. 6)

SRPMS:
squid34-3.4.14-9.el6_8.4.src.rpm
    MD5: 12a0d226d4a77c2bba9c6c3aad3526b1SHA-256: 6081a19508cf6df653984a3a708d9d9fbe5476f694716b0a418f67f35cc16759
 
IA-32:
squid34-3.4.14-9.el6_8.4.i686.rpm
    MD5: e418d78e1962340f821373e8869eca13SHA-256: a40e3ede3029a6c26e7ee97c7e42002c3bfb6ced9da84d4fc55caff863a10b4e
squid34-debuginfo-3.4.14-9.el6_8.4.i686.rpm
    MD5: a5670f9269cd9c22e3e433b28cf7390aSHA-256: 0eb94349aa4a4554a5b554ac66781da1e0de42f70892908f862b0e9d63170d20
 
PPC:
squid34-3.4.14-9.el6_8.4.ppc64.rpm
    MD5: f45eb1db4fde644774bbf0d48078b45bSHA-256: 7d9b019661e7806ff12743a62c7d6dd71c81647ecfcbd5c215849cbe8e555ee3
squid34-debuginfo-3.4.14-9.el6_8.4.ppc64.rpm
    MD5: 798fa1d3e64e1683ea8054efe308d5b5SHA-256: aa30d82f35732ea9c2bc730dc263eaacdefc5a0a7e75195537e641fec755b076
 
s390x:
squid34-3.4.14-9.el6_8.4.s390x.rpm
    MD5: 82836ee0d1a3aecc0d513bf07913bbfbSHA-256: c07d50e07bc5eb8da7be8611161404b36660fc6c5674eb9bdc9f8d89dbe3cfe4
squid34-debuginfo-3.4.14-9.el6_8.4.s390x.rpm
    MD5: e63f0a84a768fbe9398464678c9f7e3fSHA-256: fe01f0e09e6d63c04dfa8eca70066a9cbcbbad7aec3f2f4e64f05154fbcf2ae2
 
x86_64:
squid34-3.4.14-9.el6_8.4.x86_64.rpm
    MD5: e2e2ce3d64c34fc66f476967d6f24018SHA-256: 3e4c0424a96b58737398a6c3dfb87a61dac044a59bb5190fa5f6553d2d6b3ae1
squid34-debuginfo-3.4.14-9.el6_8.4.x86_64.rpm
    MD5: 8815e2edac2c76636548f97458c1c8b8SHA-256: baf6e3c713e230039af70b2aae3c1ea487bcdad5702b8960878b573bddd12822
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
squid34-3.4.14-9.el6_8.4.src.rpm
    MD5: 12a0d226d4a77c2bba9c6c3aad3526b1SHA-256: 6081a19508cf6df653984a3a708d9d9fbe5476f694716b0a418f67f35cc16759
 
IA-32:
squid34-3.4.14-9.el6_8.4.i686.rpm
    MD5: e418d78e1962340f821373e8869eca13SHA-256: a40e3ede3029a6c26e7ee97c7e42002c3bfb6ced9da84d4fc55caff863a10b4e
squid34-debuginfo-3.4.14-9.el6_8.4.i686.rpm
    MD5: a5670f9269cd9c22e3e433b28cf7390aSHA-256: 0eb94349aa4a4554a5b554ac66781da1e0de42f70892908f862b0e9d63170d20
 
x86_64:
squid34-3.4.14-9.el6_8.4.x86_64.rpm
    MD5: e2e2ce3d64c34fc66f476967d6f24018SHA-256: 3e4c0424a96b58737398a6c3dfb87a61dac044a59bb5190fa5f6553d2d6b3ae1
squid34-debuginfo-3.4.14-9.el6_8.4.x86_64.rpm
    MD5: 8815e2edac2c76636548f97458c1c8b8SHA-256: baf6e3c713e230039af70b2aae3c1ea487bcdad5702b8960878b573bddd12822
 
(The unlinked packages above are only available from the Red Hat Network)

1405941 – CVE-2016-10002 squid: Information disclosure in HTTP request processing

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply