Bug 146159

Summary: CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175)
Product: Red Hat Enterprise Linux 3 Reporter: Josh Bressers <bressers>
Component: squidAssignee: Jay Fenlason <fenlason>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: bnocera, jfeeney
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20050125
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-11 13:49:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-01-25 18:46:45 UTC 
These issues were reported to vendor-sec

--------------------------------------------------------------------------
Sanity check usernames in squid_ldap_auth

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces

Synopsis:
LDAP is very forgiving about spaces in search filters and this could
be abused to log in using several variants of the login name, possibly
bypassing explicit access controls or confusing accounting

severity:   Minor Secuity issue
date:       2005-01-17 04:29
bugzilla:   http://www.squid-cache.org/bugs/show_bug.cgi?id=1187
versions:   Squid-2.5 and earlier
platforms:  All
patch:     
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch
Workaround: Block logins with spaces
              acl login_with_spaces proxy_auth_regex [:space:]
              http_access deny login_with_spaces

--------------------------------------------------------------------------

Reject malformed HTTP requests and responses that conflict with the HTTP
specifications

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing

Synopsis:
This patch makes Squid considerably stricter while parsing the HTTP
protocol.
1. A Content-length header should only appear once in a valid request
   or response. Multiple Content-length headers, in conjunction with
   specially crafted requests, may allow Squid's cache to be poisioned
   with bad content in certain situations.
2. CR characters is only allowed as part of the CR NL line terminator,
   not alone. This to ensure that all involved agrees on the structure
   of HTTP headers.
3. Rejects requests/responses that have whitespace in an HTTP header
   name.
The patch also adds a new relaxed_header_parser directive which
defaults to on. If set off Squid will become really strict about CR
characters and whitespace in header names, while in the default on
setting Squid will ignore (and automatically clean up) common
deviations from these parts of the HTTP specification.

severity: Security issue
date:        2005-01-25 13:37
versions:    Squid-2.5 and earlier
platforms:   All
patch:      
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-header_parsing.patch
workaround:  Disable client- and server-side persistent connections.
             This will limit the impact of mismatches in HTTP protocol
             parsing somewhat, but not fully.

--------------------------------------------------------------------------

Strengthen Squid from HTTP response splitting cache pollution attack

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting

Synopsis:
This patch additionaly strengthens Squid from the HTTP response
splitting cache pollution attack described by Sanctum.

severity     Security issue
date         2005-01-21 12:43
bugzilla     http://www.squid-cache.org/bugs/show_bug.cgi?id=1200
versions     Squid-2.5 and earlier
platforms:   All
patch:      
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-response_splitting.patch

--------------------------------------------------------------------------
Comment 1 Josh Bressers 2005-01-25 18:49:32 UTC 
These issues should also affect RHEL2.1
Comment 2 Josh Bressers 2005-01-28 13:04:49 UTC 
CAN-2005-0173 Sanity check usernames in squid_ldap_auth

CAN-2005-0174 Reject malformed HTTP requests and responses that conflict with
the HTTP specifications

CAN-2005-0175 Strengthen Squid from HTTP response splitting cache pollution attack
Comment 3 Jay Fenlason 2005-02-10 19:01:26 UTC 
*** Bug 147697 has been marked as a duplicate of this bug. ***
Comment 4 Josh Bressers 2005-02-11 13:49:02 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-061.html