Updated squid packages fix security vulnerabilities
Publication date: 22 Dec 2016Modification date: 22 Dec 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-10002 , CVE-2016-10003
Description
Incorrect processing of responses to If-None-Modified HTTP conditional requests leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information (CVE-2016-10002). Incorrect HTTP Request header comparison results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients (CVE-2016-10003).
References
- https://bugs.mageia.org/show_bug.cgi?id=19970
- http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
- http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
- http://openwall.com/lists/oss-security/2016/12/18/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10002
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003
SRPMS
5/core
- squid-3.5.23-1.mga5