Security update for squid SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0192-1 Final 1 1 2017-01-18T07:28:44Z current 2017-01-18T07:28:44Z 2017-01-18T07:28:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squid This update for squid fixes the following issues: - CVE-2016-10003: Prevent incorrect forwarding of cached private responses when Collapsed Forwarding feature is enabled. This allowed remote attacker (proxy user) to discover private and sensitive information about another user (bsc#1016169). - CVE-2016-10002: Fixed incorrect processing of responses to If-None-Modified HTTP conditional requests. This allowed responses containing private data to clients it should not have reached (bsc#1016168). - CVE-2014-9749: Prevent nonce replay in Digest authentication, preventing the reuse of stale auth tokens (bsc#949942). This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-01/msg00107.html E-Mail link for openSUSE-SU-2017:0192-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 squid-3.5.21-3.1 squid-3.5.21-3.1 as a component of openSUSE Leap 42.2 Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability." CVE-2014-9749 openSUSE Leap 42.2:squid-3.5.21-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-01/msg00107.html https://www.suse.com/security/cve/CVE-2014-9749.html CVE-2014-9749 https://bugzilla.suse.com/949942 SUSE Bug 949942 https://bugzilla.suse.com/993299 SUSE Bug 993299 Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information. CVE-2016-10002 openSUSE Leap 42.2:squid-3.5.21-3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-01/msg00107.html https://www.suse.com/security/cve/CVE-2016-10002.html CVE-2016-10002 https://bugzilla.suse.com/1016168 SUSE Bug 1016168 Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients. CVE-2016-10003 openSUSE Leap 42.2:squid-3.5.21-3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-01/msg00107.html https://www.suse.com/security/cve/CVE-2016-10003.html CVE-2016-10003 https://bugzilla.suse.com/1016169 SUSE Bug 1016169