Security Advisory Moderate: squid security update

Advisory: RHSA-2014:0597-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-06-03
Last updated on: 2014-06-03
Affected Products: Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.5)
Red Hat Enterprise Linux Server EUS (v. 6.5.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2014-0128

Details

Updated squid packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.

A denial of service flaw was found in the way Squid processed certain HTTPS
requests when the SSL Bump feature was enabled. A remote attacker could
send specially crafted requests that could cause Squid to crash.
(CVE-2014-0128)

Red Hat would like to thank the Squid project for reporting this issue.
Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open
Systems AG as the original reporters.

All squid users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, the squid service will be restarted automatically.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Server (v. 6)

SRPMS:
squid-3.1.10-20.el6_5.3.src.rpm
File outdated by:  RHBA-2014:1446
    MD5: 35d24cf9108848404a079cee90c01697
SHA-256: e499d9d5f4c683e833cc9964ad1087f8b42931da82214fa1fdf1ef17b0b31eea
 
IA-32:
squid-3.1.10-20.el6_5.3.i686.rpm
File outdated by:  RHBA-2014:1446
    MD5: 03972355f740aeea6473ea174307e328
SHA-256: d59a0b58590e6aa8fd494d4b078627b6b78b51bc50cac8dfd36e8dca07e2936a
squid-debuginfo-3.1.10-20.el6_5.3.i686.rpm
File outdated by:  RHBA-2014:1446
    MD5: f65e9fe3195cd3b37ea23b116cc872c8
SHA-256: ff392d4c27bf558b337721c6e52016ab5fcb074061d936587bdcff49560f963a
 
PPC:
squid-3.1.10-20.el6_5.3.ppc64.rpm
File outdated by:  RHBA-2014:1446
    MD5: 3bc62c13c10af35bda9dcbd6c2154a1c
SHA-256: d4c2f532e3e6bc03895c9142b465bea5823b31698842394299f76536faa1f9b2
squid-debuginfo-3.1.10-20.el6_5.3.ppc64.rpm
File outdated by:  RHBA-2014:1446
    MD5: efc6e030aa39668efc9f82ad5b017e32
SHA-256: 9bf8cea59ed97a9d87b82c85e7649e28b07387d0af56e4a3e6f08a79b5afedea
 
s390x:
squid-3.1.10-20.el6_5.3.s390x.rpm
File outdated by:  RHBA-2014:1446
    MD5: 67e3013472b470277e53bd216ac52e66
SHA-256: 907c2686ef0455258d81ffe9bd989e58691b23f42dc1898888cad8755d7f0695
squid-debuginfo-3.1.10-20.el6_5.3.s390x.rpm
File outdated by:  RHBA-2014:1446
    MD5: 566a8626b2e6daecd7eb99132c6d9fdb
SHA-256: 27b5e1d9ab19624aaaa763d815735173f89ce26e67f8ffd373a8037c6ad11455
 
x86_64:
squid-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHBA-2014:1446
    MD5: 679be0019240721d426aaf29792e6c6f
SHA-256: 286cdf041b988c4cfb838358b997c3719af96e4e66a104d8ba812094b28d3fa3
squid-debuginfo-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHBA-2014:1446
    MD5: 167098e8621bf075e8d5fd54dea288a8
SHA-256: 751d718d326b7cc1c73985ed8f3093965e849b9153fe3c6dd4bafdab6b64aa17
 
Red Hat Enterprise Linux Server AUS (v. 6.5)

SRPMS:
squid-3.1.10-20.el6_5.3.src.rpm
File outdated by:  RHBA-2014:1446
    MD5: 35d24cf9108848404a079cee90c01697
SHA-256: e499d9d5f4c683e833cc9964ad1087f8b42931da82214fa1fdf1ef17b0b31eea
 
x86_64:
squid-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHSA-2014:1148
    MD5: 679be0019240721d426aaf29792e6c6f
SHA-256: 286cdf041b988c4cfb838358b997c3719af96e4e66a104d8ba812094b28d3fa3
squid-debuginfo-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHSA-2014:1148
    MD5: 167098e8621bf075e8d5fd54dea288a8
SHA-256: 751d718d326b7cc1c73985ed8f3093965e849b9153fe3c6dd4bafdab6b64aa17
 
Red Hat Enterprise Linux Server EUS (v. 6.5.z)

SRPMS:
squid-3.1.10-20.el6_5.3.src.rpm
File outdated by:  RHBA-2014:1446
    MD5: 35d24cf9108848404a079cee90c01697
SHA-256: e499d9d5f4c683e833cc9964ad1087f8b42931da82214fa1fdf1ef17b0b31eea
 
IA-32:
squid-3.1.10-20.el6_5.3.i686.rpm
File outdated by:  RHSA-2014:1148
    MD5: 03972355f740aeea6473ea174307e328
SHA-256: d59a0b58590e6aa8fd494d4b078627b6b78b51bc50cac8dfd36e8dca07e2936a
squid-debuginfo-3.1.10-20.el6_5.3.i686.rpm
File outdated by:  RHSA-2014:1148
    MD5: f65e9fe3195cd3b37ea23b116cc872c8
SHA-256: ff392d4c27bf558b337721c6e52016ab5fcb074061d936587bdcff49560f963a
 
PPC:
squid-3.1.10-20.el6_5.3.ppc64.rpm
File outdated by:  RHSA-2014:1148
    MD5: 3bc62c13c10af35bda9dcbd6c2154a1c
SHA-256: d4c2f532e3e6bc03895c9142b465bea5823b31698842394299f76536faa1f9b2
squid-debuginfo-3.1.10-20.el6_5.3.ppc64.rpm
File outdated by:  RHSA-2014:1148
    MD5: efc6e030aa39668efc9f82ad5b017e32
SHA-256: 9bf8cea59ed97a9d87b82c85e7649e28b07387d0af56e4a3e6f08a79b5afedea
 
s390x:
squid-3.1.10-20.el6_5.3.s390x.rpm
File outdated by:  RHSA-2014:1148
    MD5: 67e3013472b470277e53bd216ac52e66
SHA-256: 907c2686ef0455258d81ffe9bd989e58691b23f42dc1898888cad8755d7f0695
squid-debuginfo-3.1.10-20.el6_5.3.s390x.rpm
File outdated by:  RHSA-2014:1148
    MD5: 566a8626b2e6daecd7eb99132c6d9fdb
SHA-256: 27b5e1d9ab19624aaaa763d815735173f89ce26e67f8ffd373a8037c6ad11455
 
x86_64:
squid-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHSA-2014:1148
    MD5: 679be0019240721d426aaf29792e6c6f
SHA-256: 286cdf041b988c4cfb838358b997c3719af96e4e66a104d8ba812094b28d3fa3
squid-debuginfo-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHSA-2014:1148
    MD5: 167098e8621bf075e8d5fd54dea288a8
SHA-256: 751d718d326b7cc1c73985ed8f3093965e849b9153fe3c6dd4bafdab6b64aa17
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
squid-3.1.10-20.el6_5.3.src.rpm
File outdated by:  RHBA-2014:1446
    MD5: 35d24cf9108848404a079cee90c01697
SHA-256: e499d9d5f4c683e833cc9964ad1087f8b42931da82214fa1fdf1ef17b0b31eea
 
IA-32:
squid-3.1.10-20.el6_5.3.i686.rpm
File outdated by:  RHBA-2014:1446
    MD5: 03972355f740aeea6473ea174307e328
SHA-256: d59a0b58590e6aa8fd494d4b078627b6b78b51bc50cac8dfd36e8dca07e2936a
squid-debuginfo-3.1.10-20.el6_5.3.i686.rpm
File outdated by:  RHBA-2014:1446
    MD5: f65e9fe3195cd3b37ea23b116cc872c8
SHA-256: ff392d4c27bf558b337721c6e52016ab5fcb074061d936587bdcff49560f963a
 
x86_64:
squid-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHBA-2014:1446
    MD5: 679be0019240721d426aaf29792e6c6f
SHA-256: 286cdf041b988c4cfb838358b997c3719af96e4e66a104d8ba812094b28d3fa3
squid-debuginfo-3.1.10-20.el6_5.3.x86_64.rpm
File outdated by:  RHBA-2014:1446
    MD5: 167098e8621bf075e8d5fd54dea288a8
SHA-256: 751d718d326b7cc1c73985ed8f3093965e849b9153fe3c6dd4bafdab6b64aa17
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1074870 - CVE-2014-0128 squid: denial of service when using SSL-Bump


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/