Moderate: squid security update

Synopsis

Moderate: squid security update

Type/Severity

Security Advisory: Moderate

Topic

An update for squid is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

• It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. A remote attacker could send a specially crafted request to an HTTP server via the squid proxy and steal private data from other connections. (CVE-2016-10002)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the squid service will be restarted automatically.

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.4 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.3 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Server - AUS 7.4 x86_64
• Red Hat Enterprise Linux Server - AUS 7.3 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.3 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.4 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3 ppc64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.4 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.3 ppc64le
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux Server - TUS 7.3 x86_64
• Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
• Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.4 ppc64le
• Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.3 ppc64le
• Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.4 x86_64
• Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.3 x86_64

Fixes

• BZ - 1405941 - CVE-2016-10002 squid: Information disclosure in HTTP request processing

CVEs

• CVE-2016-10002

References

• https://access.redhat.com/security/updates/classification/#moderate