Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning. External references: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt Upstream fix: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1334251]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1139 https://access.redhat.com/errata/RHSA-2016:1139
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1140 https://access.redhat.com/errata/RHSA-2016:1140
squid-3.5.19-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
squid-3.5.10-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has now been publicised as "Host of troubles" aka Cert VU#916855. Red Hat products were patched in May and July, no further action is needed. External URL: https://hostoftroubles.com/