Bug 1016169 - (CVE-2016-10003) VUL-0: CVE-2016-10003: squid: Incorrect HTTP Request header comparison results in Collapsed Forwarding feature
(CVE-2016-10003)
VUL-0: CVE-2016-10003: squid: Incorrect HTTP Request header comparison result...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: unspecified
Assigned To: Adam Majer
Security Team bot
CVSSv2:SUSE:CVE-2016-10003:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-17 16:24 UTC by Mikhail Kasimov
Modified: 2019-07-16 16:35 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-12-17 16:24:50 UTC
Reference: http://seclists.org/oss-sec/2016/q4/699
=======================================================
Hi,

Two issues have been fixed in the latest Squid HTTP Proxy releases, both
result in Cookie headers and other client-specific private information
being delivered on cached responses to the wrong clients. Since Cookie
often carries security credentials or session keys we consider these
issues to have a high severity rating.


... (Issue #1 reported in boo#1016168 - MK)

Issue #2:

 Incorrect HTTP Request header comparison results in Collapsed
Forwarding feature mistakenly identifying some private responses as
being suitable for delivery to multiple clients.

 The current fix is not quite complete. However we believe the remaining
headers leaked are not a serious security issue.

Vulnerable Squid Versions:
 3.5.0.1 up to and including 3.5.22
 4.0.1 up to and including 4.0.16

Reference URLs:
 <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14956.patch>
 for squid-3.5 excluding 3.5.22:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch>
 for 3.5.22 only:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch>



Amos Jeffries
The Squid Software Foundation
=======================================================

Due to https://software.opensuse.org/package/squid there're:

3.5.22 (for TW, 42.2, 
and in server:proxy:Test repo), 3.3.14 (for 42.1) and 3.4.4 (for 13.2) in official repos and 4.0.15 in server:proxy:Beta repo.
Comment 1 Swamp Workflow Management 2016-12-17 23:00:30 UTC
bugbot adjusting priority
Comment 2 Mikhail Kasimov 2016-12-18 09:45:36 UTC
http://seclists.org/oss-sec/2016/q4/701 : 
============================================================================
Use CVE-2016-10003.


    The current fix is not quite complete. However we believe the remaining
    headers leaked are not a serious security issue.


If anyone needs a CVE ID for this issue (involving other headers) that
was not fixed in 3.5.23 and 4.0.17, please let us know.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
============================================================================
Comment 5 Swamp Workflow Management 2017-01-13 19:14:02 UTC
SUSE-SU-2017:0128-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1016168,1016169,949942
CVE References: CVE-2014-9749,CVE-2016-10002,CVE-2016-10003
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    squid-3.5.21-25.1
SUSE Linux Enterprise Server 12-SP2 (src):    squid-3.5.21-25.1
Comment 6 Matthias Gerstner 2017-01-16 12:42:45 UTC
all affected SLE codestreams have been fixed and released

openSUSE comes from SLE

closing bug
Comment 7 Swamp Workflow Management 2017-01-18 11:08:40 UTC
openSUSE-SU-2017:0192-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1016168,1016169,949942
CVE References: CVE-2014-9749,CVE-2016-10002,CVE-2016-10003
Sources used:
openSUSE Leap 42.2 (src):    squid-3.5.21-3.1
Comment 8 Swamp Workflow Management 2019-05-08 11:30:14 UTC
This is an autogenerated message for OBS integration:
This bug (1016169) was mentioned in
https://build.opensuse.org/request/show/701549 Factory / squid