Advisories » MGASA-2016-0171

Updated squid packages fix security vulnerability

Publication date: 11 May 2016
Modification date: 11 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-4553 , CVE-2016-4554

Description

Due to incorrect data validation of intercepted HTTP Request messages
Squid is vulnerable to clients bypassing the protection against
CVE-2009-0801 related issues. This leads to cache poisoning. This
allows any client, including browser scripts, to bypass local security
and poison the proxy cache and any downstream caches with content from
an arbitrary source (CVE-2016-4553).

Due to incorrect input validation Squid is vulnerable to a header
smuggling attack leading to cache poisoning and to bypass of same-origin
security policy in Squid and some client browsers (CVE-2016-4554).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18388
• http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
• http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4553
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554

SRPMS

5/core

• squid-3.5.19-1.mga5