squid34 security update

2017-01-2620:22:31

CentOS Project

lists.centos.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

CentOS Errata and Security Advisory CESA-2017:0183

The squid34 packages provide version 3.4 of Squid, a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. A remote attacker could send a specially crafted request to an HTTP server via the squid proxy and steal private data from other connections. (CVE-2016-10002)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2017-January/084417.html

Affected packages:
squid34

Upstream details at:
https://access.redhat.com/errata/RHSA-2017:0183

OSVersionArchitecturePackageVersionFilename
CentOS6i686squid34< 3.4.14-9.el6_8.4squid34-3.4.14-9.el6_8.4.i686.rpm
CentOS6x86_64squid34< 3.4.14-9.el6_8.4squid34-3.4.14-9.el6_8.4.x86_64.rpm