Your submission was sent successfully! Close

CVE-2016-10003

Published: 27 January 2017

Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
squid3
Launchpad, Ubuntu, Debian
Upstream
Released (3.5.23-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.12-1ubuntu7.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [3.3.8-1ubuntu6.8])
Patches:
Upstream: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch (for squid-3.5 excluding 3.5.22)
Upstream: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch (for squid 3.5.22 only)