Описание
Security update for squid
This update for squid fixes the following issues:
- CVE-2016-10002: Fixed incorrect processing of responses to If-None-Modified HTTP conditional requests. This allowed responses containing private data to clients it should not have reached (bsc#1016168)
- CVE-2014-9749: Prevent nonce replay in Digest authentication, preventing the reuse of stale auth tokens (bsc#949942)
Список пакетов
SUSE Linux Enterprise Server 12 SP1
squid-3.3.14-22.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
squid-3.3.14-22.6.1
Ссылки
- Link for SUSE-SU-2017:0116-1
- E-Mail link for SUSE-SU-2017:0116-1
- SUSE Security Ratings
- SUSE Bug 1016168
- SUSE Bug 949942
- SUSE CVE CVE-2014-9749 page
- SUSE CVE CVE-2016-10002 page
Описание
Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability."
Затронутые продукты
SUSE Linux Enterprise Server 12 SP1:squid-3.3.14-22.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:squid-3.3.14-22.6.1
Ссылки
- CVE-2014-9749
- SUSE Bug 949942
- SUSE Bug 993299
Описание
Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP1:squid-3.3.14-22.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:squid-3.3.14-22.6.1
Ссылки
- CVE-2016-10002
- SUSE Bug 1016168