Synopsis: Moderate: squid security, bug fix, and enhancement update Advisory ID: SLSA-2016:2600-2 Issue Date: 2016-11-03 CVE Numbers: CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 CVE-2016-3948 -- The following packages have been upgraded to a newer upstream version: squid (3.5.20). Security Fix(es): * Incorrect boundary checks were found in the way squid handled headers in HTTP responses, which could lead to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response. (CVE-2016-2569, CVE-2016-2570) * It was found that squid did not properly handle errors when failing to parse an HTTP response, possibly leading to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response. (CVE-2016-2571, CVE-2016-2572) * An incorrect boundary check was found in the way squid handled the Vary header in HTTP responses, which could lead to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response. (CVE-2016-3948) Additional Changes: -- SL7 x86_64 squid-3.5.20-2.el7.x86_64.rpm squid-debuginfo-3.5.20-2.el7.x86_64.rpm squid-migration-script-3.5.20-2.el7.x86_64.rpm squid-sysvinit-3.5.20-2.el7.x86_64.rpm - Scientific Linux Development Team