diff --git a/SOURCES/squid-CVE-2016-10002.patch b/SOURCES/squid-CVE-2016-10002.patch
new file mode 100644
index 0000000..ce76f4f
--- /dev/null
+++ b/SOURCES/squid-CVE-2016-10002.patch
@@ -0,0 +1,290 @@
+------------------------------------------------------------
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan <garryd@comnet.uz>, Amos Jeffries <squid3@treenet.co.nz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+ Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736
+# timestamp: 2016-11-11 06:10:37 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161101112231-\
+# k77st4up2sekl5zx
+#
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc 2016-10-09 19:47:26 +0000
++++ src/client_side_reply.cc 2016-11-11 06:03:25 +0000
+@@ -589,6 +589,7 @@
+ debugs(88, 5, "negative-HIT");
+ http->logType = LOG_TCP_NEGATIVE_HIT;
+ sendMoreData(result);
++ return;
+ } else if (blockedHit()) {
+ debugs(88, 5, "send_hit forces a MISS");
+ http->logType = LOG_TCP_MISS;
+@@ -641,27 +642,29 @@
+ http->logType = LOG_TCP_MISS;
+ processMiss();
+ }
++ return;
+ } else if (r->conditional()) {
+ debugs(88, 5, "conditional HIT");
+- processConditional(result);
+- } else {
+- /*
+- * plain ol' cache hit
+- */
+- debugs(88, 5, "plain old HIT");
++ if (processConditional(result))
++ return;
++ }
++
++ /*
++ * plain ol' cache hit
++ */
++ debugs(88, 5, "plain old HIT");
+
+ #if USE_DELAY_POOLS
+- if (e->store_status != STORE_OK)
+- http->logType = LOG_TCP_MISS;
+- else
++ if (e->store_status != STORE_OK)
++ http->logType = LOG_TCP_MISS;
++ else
+ #endif
+- if (e->mem_status == IN_MEMORY)
+- http->logType = LOG_TCP_MEM_HIT;
+- else if (Config.onoff.offline)
+- http->logType = LOG_TCP_OFFLINE_HIT;
++ if (e->mem_status == IN_MEMORY)
++ http->logType = LOG_TCP_MEM_HIT;
++ else if (Config.onoff.offline)
++ http->logType = LOG_TCP_OFFLINE_HIT;
+
+- sendMoreData(result);
+- }
++ sendMoreData(result);
+ }
+
+ /**
+@@ -755,17 +758,16 @@
+ }
+
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+ StoreEntry *const e = http->storeEntry();
+
+ if (e->getReply()->sline.status() != Http::scOkay) {
+- debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+- e->getReply()->sline.status() << " != 200");
++ debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+ http->logType = LOG_TCP_MISS;
+ processMiss();
+- return;
++ return true;
+ }
+
+ HttpRequest &r = *http->request;
+@@ -773,7 +775,7 @@
+ if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+ // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+ sendPreconditionFailedError();
+- return;
++ return true;
+ }
+
+ bool matchedIfNoneMatch = false;
+@@ -786,14 +788,14 @@
+ r.header.delById(HDR_IF_MODIFIED_SINCE);
+ http->logType = LOG_TCP_MISS;
+ sendMoreData(result);
+- return;
++ return true;
+ }
+
+ if (!r.flags.ims) {
+ // RFC 2616: if If-None-Match matched and there is no IMS,
+ // reply with 304 Not Modified or 412 Precondition Failed
+ sendNotModifiedOrPreconditionFailedError();
+- return;
++ return true;
+ }
+
+ // otherwise check IMS below to decide if we reply with 304 or 412
+@@ -805,19 +807,20 @@
+ if (e->modifiedSince(&r)) {
+ http->logType = LOG_TCP_IMS_HIT;
+ sendMoreData(result);
+- return;
+- }
+
+- if (matchedIfNoneMatch) {
++ } else if (matchedIfNoneMatch) {
+ // If-None-Match matched, reply with 304 Not Modified or
+ // 412 Precondition Failed
+ sendNotModifiedOrPreconditionFailedError();
+- return;
++
++ } else {
++ // otherwise reply with 304 Not Modified
++ sendNotModified();
+ }
+-
+- // otherwise reply with 304 Not Modified
+- sendNotModified();
++ return true;
+ }
++
++ return false;
+ }
+
+ /// whether squid.conf send_hit prevents us from serving this hit
+
+=== modified file 'src/client_side_reply.h'
+--- src/client_side_reply.h 2016-09-23 15:28:42 +0000
++++ src/client_side_reply.h 2016-11-11 06:03:25 +0000
+@@ -114,7 +114,7 @@
+ bool alwaysAllowResponse(Http::StatusCode sline) const;
+ int checkTransferDone();
+ void processOnlyIfCachedMiss();
+- void processConditional(StoreIOBuffer &result);
++ bool processConditional(StoreIOBuffer &result);
+ void cacheHit(StoreIOBuffer result);
+ void handleIMSReply(StoreIOBuffer result);
+ void sendMoreData(StoreIOBuffer result);
+
+------------------------------------------------------------
+revno: 14126
+revision-id: squid3@treenet.co.nz-20161215103357-827wow3k1y3k9yql
+parent: squid3@treenet.co.nz-20161215093634-ykbs6tv8pdusz7cj
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4169
+author: Garri Djavadyan <garryd@comnet.uz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Thu 2016-12-15 23:33:57 +1300
+message:
+ Bug 4169: HIT marked as MISS when If-None-Match does not match
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161215103357-827wow3k1y3k9yql
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 258cd3e400bcb137a7bcdf6e7e0240287ea581a3
+# timestamp: 2016-12-15 10:34:30 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161215093634-\
+# ykbs6tv8pdusz7cj
+#
+# Begin patch
+=== modified file 'src/LogTags.h'
+--- src/LogTags.h 2016-10-09 19:47:26 +0000
++++ src/LogTags.h 2016-12-15 10:33:57 +0000
+@@ -28,6 +28,7 @@
+ LOG_TCP_REFRESH_MODIFIED, // refresh from origin replaced existing entry
+ LOG_TCP_CLIENT_REFRESH_MISS,
+ LOG_TCP_IMS_HIT,
++ LOG_TCP_INM_HIT,
+ LOG_TCP_SWAPFAIL_MISS,
+ LOG_TCP_NEGATIVE_HIT,
+ LOG_TCP_MEM_HIT,
+@@ -54,6 +55,7 @@
+ return
+ (code == LOG_TCP_HIT) ||
+ (code == LOG_TCP_IMS_HIT) ||
++ (code == LOG_TCP_INM_HIT) ||
+ (code == LOG_TCP_REFRESH_FAIL_OLD) ||
+ (code == LOG_TCP_REFRESH_UNMODIFIED) ||
+ (code == LOG_TCP_NEGATIVE_HIT) ||
+
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc 2016-12-09 01:58:33 +0000
++++ src/client_side.cc 2016-12-15 10:33:57 +0000
+@@ -429,6 +429,7 @@
+ statCounter.client_http.nearHitSvcTime.count(svc_time);
+ break;
+
++ case LOG_TCP_INM_HIT:
+ case LOG_TCP_IMS_HIT:
+ statCounter.client_http.nearMissSvcTime.count(svc_time);
+ break;
+
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc 2016-12-15 09:36:34 +0000
++++ src/client_side_reply.cc 2016-12-15 10:33:57 +0000
+@@ -778,40 +778,27 @@
+ return true;
+ }
+
+- bool matchedIfNoneMatch = false;
+ if (r.header.has(HDR_IF_NONE_MATCH)) {
+- if (!e->hasIfNoneMatchEtag(r)) {
+- // RFC 2616: ignore IMS if If-None-Match did not match
+- r.flags.ims = false;
+- r.ims = -1;
+- r.imslen = 0;
+- r.header.delById(HDR_IF_MODIFIED_SINCE);
+- http->logType = LOG_TCP_MISS;
+- sendMoreData(result);
+- return true;
+- }
++ // RFC 7232: If-None-Match recipient MUST ignore IMS
++ r.flags.ims = false;
++ r.ims = -1;
++ r.imslen = 0;
++ r.header.delById(HDR_IF_MODIFIED_SINCE);
+
+- if (!r.flags.ims) {
+- // RFC 2616: if If-None-Match matched and there is no IMS,
+- // reply with 304 Not Modified or 412 Precondition Failed
++ if (e->hasIfNoneMatchEtag(r)) {
+ sendNotModifiedOrPreconditionFailedError();
+ return true;
+ }
+
+- // otherwise check IMS below to decide if we reply with 304 or 412
+- matchedIfNoneMatch = true;
++ // None-Match is true (no ETag matched); treat as an unconditional hit
++ return false;
+ }
+
+ if (r.flags.ims) {
+ // handle If-Modified-Since requests from the client
+ if (e->modifiedSince(&r)) {
+- http->logType = LOG_TCP_IMS_HIT;
+- sendMoreData(result);
+-
+- } else if (matchedIfNoneMatch) {
+- // If-None-Match matched, reply with 304 Not Modified or
+- // 412 Precondition Failed
+- sendNotModifiedOrPreconditionFailedError();
++ // Modified-Since is true; treat as an unconditional hit
++ return false;
+
+ } else {
+ // otherwise reply with 304 Not Modified
+@@ -1974,7 +1961,12 @@
+ StoreEntry *e = http->storeEntry();
+ const time_t timestamp = e->timestamp;
+ HttpReply *const temprep = e->getReply()->make304();
+- http->logType = LOG_TCP_IMS_HIT;
++ // log as TCP_INM_HIT if code 304 generated for
++ // If-None-Match request
++ if (!http->request->flags.ims)
++ http->logType = LOG_TCP_INM_HIT;
++ else
++ http->logType = LOG_TCP_IMS_HIT;
+ removeClientStoreReference(&sc, http);
+ createStoreEntry(http->request->method, RequestFlags());
+ e = http->storeEntry();
+
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 500f78b..45576a9 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
Name: squid
Version: 3.5.20
-Release: 2%{?dist}.1
+Release: 2%{?dist}.2
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -39,6 +39,8 @@ Patch208: squid-3.5.10-ssl-helper.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1378025
# http://bazaar.launchpad.net/~squid/squid/3.4/revision/12713
Patch209: squid-3.5.20-conf-casecmp.patch
+# http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_11.patch
+Patch210: squid-CVE-2016-10002.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: bash >= 2.0
@@ -115,6 +117,7 @@ migration and script which prepares squid for downgrade operation.
%patch207 -p1 -b .active-ftp-2
%patch208 -p1 -b .ssl-helper
%patch209 -p1 -b .conf-casecmp
+%patch210 -p0 -b .CVE-2016-10002
%build
%ifarch sparcv9 sparc64 s390 s390x
@@ -340,6 +343,10 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog
+* Fri Jan 13 2017 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-2.2
+- Resolves: #1412735 - CVE-2016-10002 squid: Information disclosure in HTTP
+ request processing
+
* Tue Dec 20 2016 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-2.1
- Resolves: #1406288 - icap support has been disabled on squid 3.5.20-2.el7