[SECURITY] [DLA 763-1] squid3 security update

2016-12-2520:13:13

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

Package : squid3
Version : 3.1.20-2.2+deb7u7
CVE ID : CVE-2016-10002
Debian Bug : 848493

Saulius Lapinskas from Lithuanian State Social Insurance Fund Board
discovered that Squid3, a fully featured web proxy cache, does not
properly process responses to If-None-Modified HTTP conditional
requests, leading to client-specific Cookie data being leaked to other
clients. A remote attacker can take advantage of this flaw to discover
private and sensitive information about another client's browsing
session.

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.20-2.2+deb7u7.

We recommend that you upgrade your squid3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8powerpcsquid3-dbg< 3.4.8-6+deb8u4squid3-dbg_3.4.8-6+deb8u4_powerpc.deb
Debian8arm64squid3-dbg< 3.4.8-6+deb8u4squid3-dbg_3.4.8-6+deb8u4_arm64.deb
Debian8amd64squid3< 3.4.8-6+deb8u4squid3_3.4.8-6+deb8u4_amd64.deb
Debian8amd64squidclient< 3.4.8-6+deb8u4squidclient_3.4.8-6+deb8u4_amd64.deb
Debian8arm64squid-cgi< 3.4.8-6+deb8u4squid-cgi_3.4.8-6+deb8u4_arm64.deb
Debian8arm64squid-purge< 3.4.8-6+deb8u4squid-purge_3.4.8-6+deb8u4_arm64.deb
Debian7i386squid3-dbg< 3.1.20-2.2+deb7u7squid3-dbg_3.1.20-2.2+deb7u7_i386.deb
Debian8powerpcsquidclient< 3.4.8-6+deb8u4squidclient_3.4.8-6+deb8u4_powerpc.deb
Debian8ppc64elsquidclient< 3.4.8-6+deb8u4squidclient_3.4.8-6+deb8u4_ppc64el.deb
Debian8kfreebsd-i386squid-cgi< 3.4.8-6+deb8u4squid-cgi_3.4.8-6+deb8u4_kfreebsd-i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	powerpc	squid3-dbg	< 3.4.8-6+deb8u4	squid3-dbg_3.4.8-6+deb8u4_powerpc.deb
Debian	8	arm64	squid3-dbg	< 3.4.8-6+deb8u4	squid3-dbg_3.4.8-6+deb8u4_arm64.deb
Debian	8	amd64	squid3	< 3.4.8-6+deb8u4	squid3_3.4.8-6+deb8u4_amd64.deb
Debian	8	amd64	squidclient	< 3.4.8-6+deb8u4	squidclient_3.4.8-6+deb8u4_amd64.deb
Debian	8	arm64	squid-cgi	< 3.4.8-6+deb8u4	squid-cgi_3.4.8-6+deb8u4_arm64.deb
Debian	8	arm64	squid-purge	< 3.4.8-6+deb8u4	squid-purge_3.4.8-6+deb8u4_arm64.deb
Debian	7	i386	squid3-dbg	< 3.1.20-2.2+deb7u7	squid3-dbg_3.1.20-2.2+deb7u7_i386.deb
Debian	8	powerpc	squidclient	< 3.4.8-6+deb8u4	squidclient_3.4.8-6+deb8u4_powerpc.deb
Debian	8	ppc64el	squidclient	< 3.4.8-6+deb8u4	squidclient_3.4.8-6+deb8u4_ppc64el.deb
Debian	8	kfreebsd-i386	squid-cgi	< 3.4.8-6+deb8u4	squid-cgi_3.4.8-6+deb8u4_kfreebsd-i386.deb