Debian Security Advisory

DSA-3745-1 squid3 -- security update

Date Reported:
24 Dec 2016
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 848493.
In Mitre's CVE dictionary: CVE-2016-10002.
More information:

Saulius Lapinskas from Lithuanian State Social Insurance Fund Board discovered that Squid3, a fully featured web proxy cache, does not properly process responses to If-None-Modified HTTP conditional requests, leading to client-specific Cookie data being leaked to other clients. A remote attacker can take advantage of this flaw to discover private and sensitive information about another clients browsing session.

For the stable distribution (jessie), this problem has been fixed in version 3.4.8-6+deb8u4. In addition, this update includes a fix for #819563.

For the unstable distribution (sid), this problem has been fixed in version 3.5.23-1.

We recommend that you upgrade your squid3 packages.