diff -Nru squid3-3.3.8/debian/changelog squid3-3.3.8/debian/changelog --- squid3-3.3.8/debian/changelog 2016-06-08 12:08:25.000000000 +0000 +++ squid3-3.3.8/debian/changelog 2017-02-06 14:58:54.000000000 +0000 @@ -1,3 +1,14 @@ +squid3 (3.3.8-1ubuntu6.9) trusty-security; urgency=medium + + * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional + - debian/patches/CVE-2016-10002.patch: properly handle combination of + If-Match and a Cache Hit in src/client_side.cc, + src/client_side_reply.cc, src/client_side_reply.h, src/enums.h, + src/log/access_log.cc. + - CVE-2016-10002 + + -- Marc Deslauriers Mon, 06 Feb 2017 09:56:36 -0500 + squid3 (3.3.8-1ubuntu6.8) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet diff -Nru squid3-3.3.8/debian/patches/CVE-2016-10002.patch squid3-3.3.8/debian/patches/CVE-2016-10002.patch --- squid3-3.3.8/debian/patches/CVE-2016-10002.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid3-3.3.8/debian/patches/CVE-2016-10002.patch 2017-02-06 14:57:07.000000000 +0000 @@ -0,0 +1,215 @@ +Description: fix cookie data leak via If-Not-Modified HTTP conditional +Origin: backport, http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_11.patch +Bug: http://bugs.squid-cache.org/show_bug.cgi?id=4169 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848493 + +Index: squid3-3.3.8/src/client_side.cc +=================================================================== +--- squid3-3.3.8.orig/src/client_side.cc 2017-02-03 12:48:34.000000000 -0500 ++++ squid3-3.3.8/src/client_side.cc 2017-02-06 09:56:22.997417731 -0500 +@@ -474,6 +474,7 @@ + statCounter.client_http.nearHitSvcTime.count(svc_time); + break; + ++ case LOG_TCP_INM_HIT: + case LOG_TCP_IMS_HIT: + statCounter.client_http.nearMissSvcTime.count(svc_time); + break; +Index: squid3-3.3.8/src/client_side_reply.cc +=================================================================== +--- squid3-3.3.8.orig/src/client_side_reply.cc 2017-02-03 12:48:34.000000000 -0500 ++++ squid3-3.3.8/src/client_side_reply.cc 2017-02-06 09:56:22.997417731 -0500 +@@ -555,6 +555,7 @@ + ) { + http->logType = LOG_TCP_NEGATIVE_HIT; + sendMoreData(result); ++ return; + } else if (!http->flags.internal && refreshCheckHTTP(e, r)) { + debugs(88, 5, "clientCacheHit: in refreshCheck() block"); + /* +@@ -601,25 +602,29 @@ + http->logType = LOG_TCP_MISS; + processMiss(); + } +- } else if (r->conditional()) +- processConditional(result); +- else { +- /* +- * plain ol' cache hit +- */ ++ return; ++ } else if (r->conditional()) { ++ debugs(88, 5, "conditional HIT"); ++ if (processConditional(result)) ++ return; ++ } ++ ++ /* ++ * plain ol' cache hit ++ */ ++ debugs(88, 5, "plain old HIT"); + + #if USE_DELAY_POOLS +- if (e->store_status != STORE_OK) +- http->logType = LOG_TCP_MISS; +- else ++ if (e->store_status != STORE_OK) ++ http->logType = LOG_TCP_MISS; ++ else + #endif +- if (e->mem_status == IN_MEMORY) +- http->logType = LOG_TCP_MEM_HIT; +- else if (Config.onoff.offline) +- http->logType = LOG_TCP_OFFLINE_HIT; ++ if (e->mem_status == IN_MEMORY) ++ http->logType = LOG_TCP_MEM_HIT; ++ else if (Config.onoff.offline) ++ http->logType = LOG_TCP_OFFLINE_HIT; + +- sendMoreData(result); +- } ++ sendMoreData(result); + } + + /** +@@ -718,7 +723,7 @@ + } + + /// process conditional request from client +-void ++bool + clientReplyContext::processConditional(StoreIOBuffer &result) + { + StoreEntry *const e = http->storeEntry(); +@@ -728,7 +733,7 @@ + e->getReply()->sline.status << " != 200"); + http->logType = LOG_TCP_MISS; + processMiss(); +- return; ++ return true; + } + + HttpRequest &r = *http->request; +@@ -736,51 +741,39 @@ + if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) { + // RFC 2616: reply with 412 Precondition Failed if If-Match did not match + sendPreconditionFailedError(); +- return; ++ return true; + } + +- bool matchedIfNoneMatch = false; + if (r.header.has(HDR_IF_NONE_MATCH)) { +- if (!e->hasIfNoneMatchEtag(r)) { +- // RFC 2616: ignore IMS if If-None-Match did not match +- r.flags.ims = 0; +- r.ims = -1; +- r.imslen = 0; +- r.header.delById(HDR_IF_MODIFIED_SINCE); +- http->logType = LOG_TCP_MISS; +- sendMoreData(result); +- return; +- } ++ // RFC 7232: If-None-Match recipient MUST ignore IMS ++ r.flags.ims = false; ++ r.ims = -1; ++ r.imslen = 0; ++ r.header.delById(HDR_IF_MODIFIED_SINCE); + +- if (!r.flags.ims) { +- // RFC 2616: if If-None-Match matched and there is no IMS, +- // reply with 304 Not Modified or 412 Precondition Failed ++ if (e->hasIfNoneMatchEtag(r)) { + sendNotModifiedOrPreconditionFailedError(); +- return; ++ return true; + } + +- // otherwise check IMS below to decide if we reply with 304 or 412 +- matchedIfNoneMatch = true; ++ // None-Match is true (no ETag matched); treat as an unconditional hit ++ return false; + } + + if (r.flags.ims) { + // handle If-Modified-Since requests from the client + if (e->modifiedSince(&r)) { +- http->logType = LOG_TCP_IMS_HIT; +- sendMoreData(result); +- return; +- } ++ // Modified-Since is true; treat as an unconditional hit ++ return false; + +- if (matchedIfNoneMatch) { +- // If-None-Match matched, reply with 304 Not Modified or +- // 412 Precondition Failed +- sendNotModifiedOrPreconditionFailedError(); +- return; ++ } else { ++ // otherwise reply with 304 Not Modified ++ sendNotModified(); + } +- +- // otherwise reply with 304 Not Modified +- sendNotModified(); ++ return true; + } ++ ++ return false; + } + + void +@@ -1902,7 +1895,12 @@ + StoreEntry *e = http->storeEntry(); + const time_t timestamp = e->timestamp; + HttpReply *const temprep = e->getReply()->make304(); +- http->logType = LOG_TCP_IMS_HIT; ++ // log as TCP_INM_HIT if code 304 generated for ++ // If-None-Match request ++ if (!http->request->flags.ims) ++ http->logType = LOG_TCP_INM_HIT; ++ else ++ http->logType = LOG_TCP_IMS_HIT; + removeClientStoreReference(&sc, http); + createStoreEntry(http->request->method, RequestFlags()); + e = http->storeEntry(); +Index: squid3-3.3.8/src/client_side_reply.h +=================================================================== +--- squid3-3.3.8.orig/src/client_side_reply.h 2017-02-03 12:48:34.000000000 -0500 ++++ squid3-3.3.8/src/client_side_reply.h 2017-02-06 09:56:22.993417686 -0500 +@@ -137,7 +137,7 @@ + bool alwaysAllowResponse(http_status sline) const; + int checkTransferDone(); + void processOnlyIfCachedMiss(); +- void processConditional(StoreIOBuffer &result); ++ bool processConditional(StoreIOBuffer &result); + void cacheHit(StoreIOBuffer result); + void handleIMSReply(StoreIOBuffer result); + void sendMoreData(StoreIOBuffer result); +Index: squid3-3.3.8/src/enums.h +=================================================================== +--- squid3-3.3.8.orig/src/enums.h 2013-07-13 09:25:14.000000000 -0400 ++++ squid3-3.3.8/src/enums.h 2017-02-06 09:56:22.997417731 -0500 +@@ -41,6 +41,7 @@ + LOG_TCP_REFRESH_FAIL_ERR, // refresh from origin failed, error forwarded + LOG_TCP_REFRESH_MODIFIED, // refresh from origin replaced existing entry + LOG_TCP_CLIENT_REFRESH_MISS, ++ LOG_TCP_INM_HIT, + LOG_TCP_IMS_HIT, + LOG_TCP_SWAPFAIL_MISS, + LOG_TCP_NEGATIVE_HIT, +Index: squid3-3.3.8/src/log/access_log.cc +=================================================================== +--- squid3-3.3.8.orig/src/log/access_log.cc 2013-07-13 09:25:14.000000000 -0400 ++++ squid3-3.3.8/src/log/access_log.cc 2017-02-06 09:56:22.997417731 -0500 +@@ -583,6 +583,9 @@ + if (code == LOG_TCP_HIT) + return 1; + ++ if (code == LOG_TCP_INM_HIT) ++ return 1; ++ + if (code == LOG_TCP_IMS_HIT) + return 1; + diff -Nru squid3-3.3.8/debian/patches/series squid3-3.3.8/debian/patches/series --- squid3-3.3.8/debian/patches/series 2016-06-07 16:01:22.000000000 +0000 +++ squid3-3.3.8/debian/patches/series 2017-02-06 14:56:05.000000000 +0000 @@ -20,3 +20,4 @@ CVE-2016-4553.patch CVE-2016-4554.patch CVE-2016-4555.patch +CVE-2016-10002.patch