Ubuntu Security Notice 3192-1 - Saulius Lapinskas discovered that Squid incorrectly handled processing HTTP conditional requests. A remote attacker could possibly use this issue to obtain sensitive information related to other clients' browsing sessions. Felix Hassert discovered that Squid incorrectly handled certain HTTP Request headers when using the Collapsed Forwarding feature. A remote attacker could possibly use this issue to obtain sensitive information related to other clients' browsing sessions. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. Various other issues were also addressed.
ecc79a8400c481bb6a4ba233b597c5ac2df390712e0587e5c7d78454b95f39f8
==========================================================================
Ubuntu Security Notice USN-3192-1
February 06, 2017
squid3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Squid could be made to expose sensitive information over the network.
Software Description:
- squid3: Web proxy cache server
Details:
Saulius Lapinskas discovered that Squid incorrectly handled processing
HTTP conditional requests. A remote attacker could possibly use this issue
to obtain sensitive information related to other clients' browsing
sessions. (CVE-2016-10002)
Felix Hassert discovered that Squid incorrectly handled certain HTTP
Request headers when using the Collapsed Forwarding feature. A remote
attacker could possibly use this issue to obtain sensitive information
related to other clients' browsing sessions. This issue only applied to
Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10003)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
squid3 3.5.12-1ubuntu8.1
Ubuntu 16.04 LTS:
squid3 3.5.12-1ubuntu7.3
Ubuntu 14.04 LTS:
squid3 3.3.8-1ubuntu6.9
Ubuntu 12.04 LTS:
squid3 3.1.19-1ubuntu3.12.04.8
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3192-1
CVE-2016-10002, CVE-2016-10003
Package Information:
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu8.1
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.3
https://launchpad.net/ubuntu/+source/squid3/3.3.8-1ubuntu6.9
https://launchpad.net/ubuntu/+source/squid3/3.1.19-1ubuntu3.12.04.8