Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached. This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. External References: http://www.squid-cache.org/Advisories/SQUID-2016_11.txt References: http://seclists.org/oss-sec/2016/q4/699 Upstream bug: http://bugs.squid-cache.org/show_bug.cgi?id=4169
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1405944]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0183 https://rhn.redhat.com/errata/RHSA-2017-0183.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0182 https://rhn.redhat.com/errata/RHSA-2017-0182.html