Launchpad.net

CVE 2016-10002

Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information.

Related bugs and status

CVE-2016-10002 (Candidate) is related to these bugs:

Bug #1391159: squid3 is not built with helper /usr/lib/squid3/ext_time_quota_acl

Summary				In	Importance	Status
	1391159	squid3 is not built with helper /usr/lib/squid3/ext_time_quota_acl		squid3 (Ubuntu)	Undecided	Fix Released
	1391159	squid3 is not built with helper /usr/lib/squid3/ext_time_quota_acl		squid3 (Debian)	Undecided	Fix Released

Bug #1644538: Please sync Squid 3.5 latest from Debian

Summary				In	Importance	Status
	1644538	Please sync Squid 3.5 latest from Debian		squid3 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2016121...
CONFIRM: http://www.squid-cache...
DEBIAN: DSA-3745
BID: 94953
SECTRACK: 1037513
REDHAT: RHSA-2017:0182
REDHAT: RHSA-2017:0183