SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Squid Vendors:   Squid-cache.org
(CentOS Issues Fix) Squid Conditional Request Handling Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System
SecurityTracker Alert ID:  1037724
SecurityTracker URL:  http://securitytracker.com/id/1037724
CVE Reference:   CVE-2016-10002   (Links to External Site)
Date:  Jan 27 2017
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.1 - 3.5.22, 4.0 - 4.0.16
Description:   A vulnerability was reported in Squid. A remote user can obtain potentially sensitive information on the target system.

A remote user can send a specially crafted request to trigger a flaw in the processing of conditional requests and cause the target system to return responses containing potentially sensitive information about another client's browsing session. This information may include authentication credentials.

Saulius Lapinskas from Lithuanian State Social Insurance Fund Board reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information about other user sessions on the target system.
Solution:   CentOS has issued a fix.

x86_64:
275a75c85ff8c059d37c719dc5095b13f475d3713a3b464e4e45f4138ff78ddb squid-3.5.20-2.el7_3.2.x86_64.rpm
d92cb53e1cd1ca105c79f40e434a04fd67635671255e5ca5f8655ffe877ca124 squid-migration-script-3.5.20-2.el7_3.2.x86_64.rpm
5e1c34b8905de8a5f82c9f35543671aa80facc44e21341e284042f0e2f5e7d1f squid-sysvinit-3.5.20-2.el7_3.2.x86_64.rpm

Source:
8c17b5ff7d793529ed91f0ec5b772104019357863706e9636a2246c67d522bad squid-3.5.20-2.el7_3.2.src.rpm

Cause:   Access control error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Dec 21 2016 Squid Conditional Request Handling Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:0182 Moderate CentOS 7 squid Security Update


CentOS Errata and Security Advisory 2017:0182 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0182.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
275a75c85ff8c059d37c719dc5095b13f475d3713a3b464e4e45f4138ff78ddb  squid-3.5.20-2.el7_3.2.x86_64.rpm
d92cb53e1cd1ca105c79f40e434a04fd67635671255e5ca5f8655ffe877ca124  squid-migration-script-3.5.20-2.el7_3.2.x86_64.rpm
5e1c34b8905de8a5f82c9f35543671aa80facc44e21341e284042f0e2f5e7d1f  squid-sysvinit-3.5.20-2.el7_3.2.x86_64.rpm

Source:
8c17b5ff7d793529ed91f0ec5b772104019357863706e9636a2246c67d522bad  squid-3.5.20-2.el7_3.2.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC