Security update for squid SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0128-1 Final 1 1 2017-01-13T15:15:19Z current 2017-01-13T15:15:19Z 2017-01-13T15:15:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: - CVE-2016-10003: Prevent incorrect forwarding of cached private responses when Collapsed Forwarding feature is enabled. This allowed remote attacker (proxy user) to discover private and sensitive information about another user (bsc#1016169). - CVE-2016-10002: Fixed incorrect processing of responses to If-None-Modified HTTP conditional requests. This allowed responses containing private data to clients it should not have reached (bsc#1016168). - CVE-2014-9749: Prevent nonce replay in Digest authentication, preventing the reuse of stale auth tokens (bsc#949942). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-RPI-12-SP2-2017-67,SUSE-SLE-SERVER-12-SP2-2017-67 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170128-1/ Link for SUSE-SU-2017:0128-1 https://lists.suse.com/pipermail/sle-security-updates/2017-January/002562.html E-Mail link for SUSE-SU-2017:0128-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1016168 SUSE Bug 1016168 https://bugzilla.suse.com/1016169 SUSE Bug 1016169 https://bugzilla.suse.com/949942 SUSE Bug 949942 https://www.suse.com/security/cve/CVE-2014-9749/ SUSE CVE CVE-2014-9749 page https://www.suse.com/security/cve/CVE-2016-10002/ SUSE CVE CVE-2016-10002 page https://www.suse.com/security/cve/CVE-2016-10003/ SUSE CVE CVE-2016-10003 page SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 squid-3.5.21-25.1 squid-3.5.21-25.1 as a component of SUSE Linux Enterprise Server 12 SP2 squid-3.5.21-25.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 squid-3.5.21-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability." CVE-2014-9749 SUSE Linux Enterprise Server 12 SP2:squid-3.5.21-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:squid-3.5.21-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:squid-3.5.21-25.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170128-1/ https://www.suse.com/security/cve/CVE-2014-9749.html CVE-2014-9749 https://bugzilla.suse.com/949942 SUSE Bug 949942 https://bugzilla.suse.com/993299 SUSE Bug 993299 Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information. CVE-2016-10002 SUSE Linux Enterprise Server 12 SP2:squid-3.5.21-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:squid-3.5.21-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:squid-3.5.21-25.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170128-1/ https://www.suse.com/security/cve/CVE-2016-10002.html CVE-2016-10002 https://bugzilla.suse.com/1016168 SUSE Bug 1016168 Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients. CVE-2016-10003 SUSE Linux Enterprise Server 12 SP2:squid-3.5.21-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:squid-3.5.21-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:squid-3.5.21-25.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170128-1/ https://www.suse.com/security/cve/CVE-2016-10003.html CVE-2016-10003 https://bugzilla.suse.com/1016169 SUSE Bug 1016169