Bug 152809
Summary: | Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-... | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Marc Deslauriers <marc.deslauriers> |
Component: | squid | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bugzilla.redhat, deisenst, jpdalbec, pekkas, redhat-bugzilla, rob.myers, simon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities | ||
Whiteboard: | 1, LEGACY, rh73, rh90, 2 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-18 19:14:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 189323 | ||
Attachments: |
Description
David Lawrence
2005-03-30 23:28:13 UTC
*** Bug 152778 has been marked as a duplicate of this bug. *** Packages were pushed to updates-testing. *** Bug 152733 has been marked as a duplicate of this bug. *** 05.19.16 CVE: Not Available Platform: Unix Title: Squid Proxy Unspecified DNS Spoofing Description: Squid Proxy is a freely available, open source web proxy software package. Squid Proxy is affected by an unspecified DNS spoofing vulnerability. Squid Proxy versions 2.5 and earlier are known to be vulnerable. Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query (2) MODERATE: Multiple Vendor HTTP Request Smuggling Affected: Configurations involving a number of popular web proxy/cache servers and web application firewalls Description: A new attack technique named "HTTP Request Smuggling" has been reported to affect configurations that involve one or more web entities (i.e. a web proxy server, a web cache server or a web application firewall) between a user and a web server. The attack can be carried out by crafting back-to-back HTTP requests that are interpreted differently by the web entities. For example, if an HTTP request is crafted with two distinct HTTP "Content-Length" headers, the two web entities may process the same request by honoring either the first or the last "Content-Length" header. The discoverers have shown how an attacker can exploit such behaviors by crafting HTTP requests that may result in web cache poisoning, bypassing the web firewall, cross-site scripting (requiring no user interaction) or session hijacking. The vulnerable example configurations listed in the discoverers' posting include Sun ONE proxy server, Sun ONE webserver, CheckPoint Firewall, Microsoft IIS server, Microsoft ISA server, Apache, Jakarta Tomcat server, IBM WebSphere, BEA WebLogic, Oracle9iAS, Squid, Delegate and Oracle WebCache. Status: Squid and CheckPoint have distributed patches. The status regarding other vendors is not currently known. Council Site Actions: Two council sites are still evaluating if they are vulnerable. One site has already patched their system. References: Watchfire Whitepaper http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf SecurityFocus BID http://www.securityfocus.com/bid/13873 05.23.14 CVE: Not Available Platform: Cross Platform Title: Multiple Vendor Multiple HTTP Request Smuggling Description: Multiple vendors are prone to a new class of attack named "HTTP Request Smuggling". This class of attack basically revolves around piggybacking a HTTP request inside of another HTTP request. By leveraging failures to implement the HTTP/1.1 RFC properly, it is demonstrated that this class of attack may result in cache poisoning, cross-site scripting, session hijacking and other attacks. Reports indicate that Microsoft IIS 5.0 is affected. Ref: http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf 05.37.15 CVE: CAN-2005-2794 Platform: Unix Title: Squid Proxy Aborted Requests Remote Denial of Service Description: Squid Proxy is a freely available, open source Web proxy software package. A remote denial of service vulnerability affects the Squid Proxy. This issue is due to a failure of the application to properly handle exceptional network requests. A remote attacker may leverage this issue to crash the affected Squid Proxy, denying service to legitimate users. Ref: http://www.securityfocus.com/bid/14761 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 7.3 RHL 7.3 Packages: squid-2.4.STABLE7-0.73.2.legacy.i386.rpm Checksums and signatures verify okay. I installed the program without any problems. After a long lerning curve on how to configure it (I've never used squid before) I was acutally able to make it work! I tested some basic functionality, and it all worked amazingly well. I did NOT test the exact security problem (SNMP) but rather tested ftp and http only. I uninstalled it without issue. Vote for release for RHL 7.3. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNCEG4jZRbknHoPIRAilTAJ4kmxOYn3Tj+BbqP9qp6SFKIvzvKgCgqqk/ xYXPjzS7OTUBj/26PcSjEFg= =7Wdn -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 RHL 9 Packages: squid-2.5.STABLE1-9.9.legacy.i386.rpm Checksums and signatures verify okay. I installed the program without any problems. Upon running, I got the error messages: init_cache_dir /var/spool/squid... /etc/rc.d/init.d/squid: line 162: 3604 Aborted $SQUID -z -F -D 2>/dev/null Starting squid: /etc/rc.d/init.d/squid: line 162: 3605 Aborted $SQUID $SQUID_OPTS 2>/dev/null [FAILED] Apparently it can't figure out my hostname. I edited /etc/squid/squid.conf and added the 'visible_hostname' to be my fully qualified host name. After that, it started fine. This is, I presume, a problem with my machine setup and not a bug in squid per se. Once configured and running, it worked fine as an HTTP proxy/accelerator. I didn't test the SNMP functionality or bug fix; I just used it as an HTTP proxy/accelerator. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNCQc4jZRbknHoPIRAo/gAKCDNfgnHeCMjT8PBhQHEDDvxKTarQCeLoHS 5JC2cVsq/ee+tu9Vc56n06c= =Y6pF -----END PGP SIGNATURE----- Thanks, timeouts in 2 weeks. Timeout over. I've moved the vulnerabilities I reported post-updates-testing to Bug #170410 so this bug can be closed when the packages are released. Created attachment 120495 [details] Table of CVE's this bug ticket fixes & new CVE's for next one. The attached table indicates all the CVE's I was able to determine that this bug #152809 fixes for the 3 distros handled in this bug report, plus FC2. "Y" in a row means that the CVE on that row is fixed for the distro in the column. This table also documents all of the CVE's I could find that are (or may be) issues for our next Bug #170410 to fix. These are the ones with the "N" (meaning "no, not fixed here") for the distro/CVE's. Some helpful links (like to RHSA reports or upstream patches where useful) are also placed on each row. Hope this is helpful. I am not going to release the packages in updates-testing as they are seriously out-of-date. Let's track the new issues in this bug. *** Bug 170410 has been marked as a duplicate of this bug. *** -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are new squid packages to QA: rh7.3 Changelog: * Wed Nov 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.4.STABLE7-0.73.3.legacy - - Added security patches for CVE-2005-0718, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479 and CVE-2005-2794 - - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords rh9 changelog: * Wed Nov 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-9.10.legacy - - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 - - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords fc1 changelog: * Tue Nov 15 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE3-2.fc1.6.legacy - - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 - - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords fc2 changelog: * Tue Nov 15 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE9-1.FC3.3.legacy - - Added security patches for CVE-1999-0710, CVE-2005-1519, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 rh7.3: 7f2ecd2112c5be2b30e3561fbf51e42ef57d3301 7.3/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm 2dbcf936b058ecb5eac61b9c584402faf1aee9b2 7.3/squid-2.4.STABLE7-0.73.3.legacy.src.rpm rh9: f60363c2614c4ef99db6e9084a965819c6b76a17 9/squid-2.5.STABLE1-9.10.legacy.i386.rpm 5185c13f38ee196eb37392e6ac2500a3e67faa71 9/squid-2.5.STABLE1-9.10.legacy.src.rpm fc1: 64e1464f0448299157b799c9c387c4d6de549b5f 1/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm 5b41bae1eaf97ea444209ca8940d83ad05c10eae 1/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm fc2: e03ee3e4ff5a8c9ea70e49e0fb551703d7194f8c 2/squid-2.5.STABLE9-1.FC2.3.legacy.i386.rpm 8f238269d9391da661aabfafaed08e39f1164c3b 2/squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm Source: http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.10.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ http://www.infostrategique.com/linuxrpms/legacy/9/ http://www.infostrategique.com/linuxrpms/legacy/1/ http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDfSJoLMAs/0C4zNoRAgWuAJ9uO7hRiCsUr1dy+XBRYxODbOQChgCgmsiW FIeN6tShS1rc6/NIFlr3lEI= =9jaQ -----END PGP SIGNATURE----- Argh. Squid is a pain in the ass. I just spent an hour trying to verify these for correctness, but the patches were so difficult to figure out that I gave up. What I was easily able to check was that RHL73 and FC1 corresponded to the RHEL packages, and patches were except for the NTLM-assert patch which RHEL doesn't ship (yet). FC1 and RHL9 also appeared to have the same patches, though contents were somewhat different. I couldn't figure out why FC2 seemed to be missing ssl-diff, connect, connect_truncated (3/4 of CVE-2005-2796) and dothost (-2004-2479) patches. RHEL also had included squid-2.5.STABLE10-statHistAssert.patch but that isn't an urgent update so leaving it out is OK. I'm not sure how we could continue here without wasting significant amount of energy. Perhaps RHL9 squid should be upgraded to the same version as FC1 to make it easier to ship both together and align with RHEL, or something. The sslConnectTimeout patch applies directly to the squid version used in FC2 and completely fixes CVE-2005-2796. The ssl-diff, connect and connect_truncated patches were made by RedHat to update the version of the ssl.c file in older squid releases to a version that can be patched by sslConnectTimeout. The dothost patch is already included upstream in squid-2.5.STABLE10. Upgrading versions is not in line with Legacy's guidelines. There are zillions of patches to QA because we havn't kept up with squid releases. But FC2 has STABLE9, not STABLE10? oups, sorry, I meant "already included upstream in squid-2.5.STABLE9", so it is already included in fc2. Created attachment 121285 [details] Updated bug-sheet. (.sxc format, OpenOffice.org) Was just wondering, there are a number of CVE's identified in the table in attachment 120495 [details] that are not listed in your Changelogs, Marc. (I haven't looked at anything but the changelogs from comment 15 so far.) Were these not fixed? In this new attachment, all cells with an "N" marked in green are CVE's that are marked fixed in the changelogs. Cells marked in red are those that I am concerned about: RH7.3: CVE-2005-1345, CVE-2005-2917, CVE-2005-3258 RH9 : CVE-2005-3258 FC1 : CVE-2005-3258 FC2 : CVE-2004-2479, CVE-2005-3258 CVE-2005-3258 is apparently considered major severity by the Squid folks. <http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape> Thanks. Created attachment 121286 [details] Corrected Updated bug-sheet. (.sxc format, OpenOffice.org) Oops. I made the same mistake as Pekka. I now see that CVE-2004-2479 was a patch in squid-2.5.STABLE7, so was included in squid-2.5.STABLE8 and later, so is not a concern in FC2. Corrected table attached. Sorry 'bout that. the CVE-2005-3258 patch was for a bug introduced in the squid-2.5.STABLE10-ftp_basehref.patch which we don't use, so we're not vulnerable to that issue. CVE-2005-2917 only applies to NTFS authentication, which the squid version in rh7.3 doesn't support. CVE-2005-1345 was not fixed in squid-2.4 from RHEL21, so I didn't fix it in rh7.3's squid-2.4. Maybe this needs further investigation. Created attachment 121287 [details]
Yet better bug-sheet. (.sxc format, OpenOffice.org)
Thanks, Marc. Like Visine, you got the red out.
Think you could check these out again Pekka? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - the patches verified against RHEL, and in FC2 and for NTLM auth against upstream. I did NOT verify Marc's analysis on which patches are (not) needed on which platform, so I assume it's OK. +PUBLISH RHL73, RHL9, FC1, FC2 2dbcf936b058ecb5eac61b9c584402faf1aee9b2 squid-2.4.STABLE7-0.73.3.legacy.src.rpm 5185c13f38ee196eb37392e6ac2500a3e67faa71 squid-2.5.STABLE1-9.10.legacy.src.rpm 5b41bae1eaf97ea444209ca8940d83ad05c10eae squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm 8f238269d9391da661aabfafaed08e39f1164c3b squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDiA6AGHbTkzxSL7QRAmNbAJ48Lj21L7t6mYE+2pJyqZehDWqcIgCdHqf6 jMeWRAtoBqs0pk6GXyBmSxk= =Jv2c -----END PGP SIGNATURE----- Cool. Thanks Pekka! Packages were pushed to updates-testing. New policy: automatic accept after two weeks if no negative feedback. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following packages: 2dbcf936b058ecb5eac61b9c584402faf1aee9b2 squid-2.4.STABLE7-0.73.3.legacy.src.rpm 5185c13f38ee196eb37392e6ac2500a3e67faa71 squid-2.5.STABLE1-9.10.legacy.src.rpm 5b41bae1eaf97ea444209ca8940d83ad05c10eae squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm 8f238269d9391da661aabfafaed08e39f1164c3b squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm Installed with yum, edited the squid conf to add visible_hostname and correct access ACL. Browsed with http and https, and downloaded files using ftp. Executed files downloaded through FTP. All were successful. Verified usage in squid.log. +VERIFY rh73,rh9,fc1,fc2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFD9L1LpxMPKJzn2lIRAoCyAJwIaqCokJMyBwNzlQXEc70SxYCacACfY2fZ HvGmQxjTIQFIEJUchMHuq3w= =GdSp -----END PGP SIGNATURE----- Mmm, there may be a terminology error. You're referring to src.rpm's, which you probably couldn't install :-). I guess you installed the binary versions in the updates-testing directory? Which OS versions did you test? Whoops. Bad cut'n'paste. I DID qa the .rpms that were in updates-testing for each release. You have access to every released architecture? That's impressive -- thanks! Packages were released to updates. The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was: Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CVE-2005-2917) |