Due to incorrect message parsing Squid is vulnerable to an HTTP request splitting issue. This issue allows attackers to smuggle HTTP requests through frontend software to a Squid which splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches between client and Squid with attacker controlled content at arbitrary URLs.
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1770350]
Upstream patch: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch