Bug 152809

Summary: Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-...
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: squidAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugzilla.redhat, deisenst, jpdalbec, pekkas, redhat-bugzilla, rob.myers, simon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities
Whiteboard: 1, LEGACY, rh73, rh90, 2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-18 19:14:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 189323    
Attachments:
Description Flags
Table of CVE's this bug ticket fixes & new CVE's for next one.
none
Updated bug-sheet. (.sxc format, OpenOffice.org)
none
Corrected Updated bug-sheet. (.sxc format, OpenOffice.org)
none
Yet better bug-sheet. (.sxc format, OpenOffice.org) none

Description David Lawrence 2005-03-30 23:28:13 UTC
iDEFENSE reported on 2004-10-11 a vulnerability in the squid SNMP
module.  This issue could lead to a potential DOS (it will restart
the server, dropping all open connections).

http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135320
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135319



------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-11 19:30:05 ----

Patch available here:
http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump



------- Additional Comments From rob.myers.edu 2004-10-12 05:35:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Packages to QA for FC1:
 
changelog:
* Tue Oct 12 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.2.legacy
- - apply patch for CAN-2004-0918 bug #2150
- - group last patch under fedora legacy security updates
 
* Tue Oct 05 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.1.legacy
- - apply patch from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0541
 
* Mon Jun 07 2004 Jay Fenlason <fenlason> 7:2.5.STABLE3-2.fc1
- - Backport patch for CAN-2004-0541: buffer overflow in ntlm auth helper.
 
e1b12fb4c1ff6475b7d536e16e3eb117e392d7c7 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-2.5.STABLE3-2.fc1.2.legacy.src.rpm
4ed87eab384871e59a22ce0292637fe45930f9c3 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-2.5.STABLE3-2.fc1.2.legacy.i386.rpm
ae53c32e6b0a1105ec444143536f159a11839124 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-debuginfo-2.5.STABLE3-2.fc1.2.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBa/khtU2XAt1OWnsRAtSpAKDIGkqZuxS5LOH46vafpuSbzyFIwgCeO8uw
A/ieXFd1K22u+GKuk+Wqj30=
=etE0
-----END PGP SIGNATURE-----




------- Additional Comments From simon 2004-10-14 10:17:14 ----

Created an attachment (id=885)
7.3 patch

Here's a patch for squid-2.4.STABLE6 for redhat 7.3

Packages to follow shortly.

- Si



------- Additional Comments From simon 2004-10-14 10:26:01 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Test packages for 7.3. 
 
%changelog 
* Thu Oct 14 2004 Simon Weller <simon> 
- - added patch to address asn_parse_header() DOS (CAN-2004-0918) 
 
ftp://potelweller.com/fedora_legacy/testing/squid-2.4.STABLE6-6.7.4.7.x.legacy.i386.rpm 
ftp://potelweller.com/fedora_legacy/testing/squid-2.4.STABLE6-6.7.4.7.x.legacy.src.rpm 
 
sha1sum: 
120e20f466423a28a5bb3db208ba3794b17af1d7 
*squid-2.4.STABLE6-6.7.4.7.x.legacy.i386.rpm 
e2bf5c3cc1681ab9adae3fef6852717512b7801f 
*squid-2.4.STABLE6-6.7.4.7.x.legacy.src.rpm 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBbuCvMLOCzgCQslsRAr7hAJ9+2P8Yi2Otr1x4CzzT93fHunsofgCglJG9 
5KNpLijyBBk5+alBmMbMDKs= 
=gCn6 
-----END PGP SIGNATURE----- 



------- Additional Comments From marcdeslauriers 2004-10-16 05:58:31 ----

This bug supercedes bug 2053



------- Additional Comments From marcdeslauriers 2004-10-16 06:01:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the fc1 squid package:

e1b12fb4c1ff6475b7d536e16e3eb117e392d7c7 squid-2.5.STABLE3-2.fc1.2.legacy.src.rpm

- - Sources match last release
- - Spec file looks good
- - Patch for CAN-2004-0541 is present
- - Patch for CAN-2004-0832 is present (Changelog references wrong CAN number)
- - Patch for CAN-2004-0918 is present
- - Builds, installs and runs

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBcUYVLMAs/0C4zNoRAgo6AJ4i0O0qwo0tzhzUngJQGfHiQyDmigCgvjXF
dG1RrgA8e27lSX9aZRhm188=
=oD/f
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-16 06:19:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the rh73 squid package:

e2bf5c3cc1681ab9adae3fef6852717512b7801f squid-2.4.STABLE6-6.7.4.7.x.legacy.src.rpm

- - Sources match last release
- - Spec file looks good
- - Patch for CAN-2004-0541 is not needed
- - Patch for CAN-2004-0832 is not needed
- - Patch for CAN-2004-0918 is present and looks good
- - Builds, installs and runs

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBcUoiLMAs/0C4zNoRAgLdAJ0RCu7Er4CddmfR847QZph2rL74FwCgvqy1
IxiVkj6eIlWiSijyhcx5mCY=
=Tnej
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-16 07:29:02 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages for rh9:

Changelog:
* Sat Oct 16 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-6.9.legacy
- - CAN-2004-0918 security patch (snmp DoS)
 
* Fri Sep 10 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-5.9.legacy
- - CAN-2004-0832 security patch (malformed NTLMSSP packets crash NTLM helpers)
 
* Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-4.9.legacy
- - CAN-2004-0541 security patch (NTLM Authentication Helper Buffer Overflow)

ba74736311c002f17dda452ec49ad18654f07db2  squid-2.5.STABLE1-6.9.legacy.i386.rpm
4757903683ff3d1afff604807f307073a963baa4  squid-2.5.STABLE1-6.9.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-6.9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-6.9.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBcVpyLMAs/0C4zNoRAlRoAJ0dN5JKYrC5G34znKtipqXZJUX0LwCfdNbO
0zO8gpzxThrS8Rl5SixLruk=
=YAY3
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse.edu 2004-10-18 08:56:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package: 
e1b12fb4c1ff6475b7d536e16e3eb117e392d7c7  squid-2.5.STABLE3-2.fc1.2.legacy.src.rpm

- - source identical to squid-2.5.STABLE3-0.src.rpm from mirrors.kernel.org
- - spec file looks good
- - patch files are good
- - builds cleanly
- - installs clean
- - runs ok

+ PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBdBHrwnUFCSDmt7ERAkFKAJwMrHCLqOdBRGnTZHPTUzrTHN2HXwCeI3ET
KjyabP7eLNdcSp1vA0F4sKc=
=CKUJ
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-10-20 10:31:57 ----

https://rhn.redhat.com/errata/RHSA-2004-591.html



------- Additional Comments From jpdalbec 2004-12-13 12:29:57 ----

04.49.15 CVE: Not Available
Platform: Unix
Title: Squid Proxy Failed DNS Lookup Information Disclosure
Description: Squid is a web proxy software package. It is reported to
be vulnerable to an information disclosure issue. The issue presents
itself when it processes a sequence of failed DNS lookup requests, and
returns random error messages to the user. Squid versions 2.5 and
earlier are reported to be vulnerable.
Ref: http://secunia.com/advisories/13408/ 



------- Additional Comments From pekkas 2004-12-21 06:29:36 ----

I have not yet seen any vendor even been reported of the latest problem (nothing
in RH bugzilla, or debian, nothing on bugtraq), but it does not seem to be severe.

Patch at:

http://www.squid-cache.org/bugs/attachment.cgi?id=523&action=view

.. though we could possibly also go forward without it, if folks think that
would be acceptable (as FC1 and RHL73 has been QA'd already).



------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-06 22:46:17 ----

Another minor security problem is found.

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls

>The meaning of the access controls becomes somewhat confusing if any of the
referenced acls is declared empty, without any members.

Patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch





------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-12 22:28:02 ----

Another new problems were found.

One of them is "Denial of service with forged WCCP messages". 

Advisory:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service

Patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch


And the other is "buffer overflow bug in gopherToHTML()".

Advisory:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing

Patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch


Additionally Secunia announced "NTLM fakeauth_auth Helper Denial of Service" at
http://secunia.com/advisories/13789/ .

Advisory:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth

Patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch

But last bug is not marked security problem in squid website.




------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-23 22:20:04 ----

>#14 

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0094
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0095
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0097

Red Hat Buzaill:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145543



------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-23 22:20:51 ----

Additionally, another two security patches have been released.

"Strengthen Squid from HTTP response splitting cache pollution attack"

Advisory:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting
Patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-response_splitting.patch


"Sanity check usernames in squid_ldap_auth"

Advisory:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces
Patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch



------- Additional Comments From marcdeslauriers 2005-02-04 20:04:42 ----

* Buffer overflow when handling WCCP recvfrom() (CAN-2005-0211).

* Loose checking of HTTP headers (CAN-2005-0173 and CAN-2005-0174).

* Incorrect handling of LDAP login names with spaces (CAN-2005-0175).



------- Additional Comments From marcdeslauriers 2005-02-04 20:08:28 ----

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146787
CAN-2005-0194 Empty proxy_auth ACLs are silently accepted but lead to
unpredictable ACL matching



------- Additional Comments From marcdeslauriers 2005-02-10 13:31:41 ----

CAN-2005-0241
                The httpProcessReplyHeader function in Squid 2.5-STABLE7
                and earlier does not properly set the debug context when
                it is handling "oversized" HTTP reply headers. The impact
                is unknown.



------- Additional Comments From pekkas 2005-02-15 22:44:03 ----

RHEL patches available now from:
https://rhn.redhat.com/errata/RHSA-2005-061.html



------- Additional Comments From marcdeslauriers 2005-02-16 11:54:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated squid packages to QA:

Changelog 7.3:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers>
7:2.4.STABLE7-0.73.1.legacy
- - Rebuilt as Fedora Legacy security update for Red Hat Linux 7.3

* Tue Feb 01 2005 Jay Fenlason <fenlason>
- - Two more security fixes:
  * CAN-2005-0211 bz#146777 buffer overflow in wccp recvfrom() call
  * bz#146780 correct handling of oversize reply headers

* Mon Jan 31 2005 Jay Fenlason <fenlason>
- - Change the squid user's login shell to /sbin/nologin

* Mon Jan 31 2005 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as.3
- - Don't include the 0-length files created by patch in the errors directory.

* Fri Jan 28 2005 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as.2
- - Backport three more security fixes to close bz#146159
- - Also backport the -reply_header_max_size patch
- - Reorganize this spec file to apply upstream patches first.

* Thu Jan 20 2005 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as.1
- - Backport fixes for CAN-2005-0094 (remote DOS in parsing malformed Gopher
  messages). and CAN-2005-0095 (remote DOS in parsing malformed wccp messages).
- - This version of squid is not vulnerable to CAN-2005-0096 and CAN-2005-0097
  because it does not contain the ntlm_auth helper.

* Tue Oct 12 2004 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as
- - Backport SNMP_core_dump patch from 2.5.STABLE6 to fix CAN-2004-0918
  (Remote DoS)

* Mon Jun 21 2004 Jay Fenlason <fenlason> 7:2.4.STABLE7-0.21as
- - bump to 2.4.STABLE7 to pick up all the post STABLE6 patches
- - Include the three upstream patches to 2.4.STABLE7
- - Add the forward_retries one-line patch for bugzilla #120849

Changelog 9:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-7.9.legacy
- - Security patches for CAN-2005-0094, CAN-2005-0095, CAN-2005-0096,
  CAN-2005-0097, CAN-2005-0173, CAN-2005-0174, CAN-2005-0175,
  CAN-2005-0194, CAN-2005-0211, CAN-2005-0241

* Sat Oct 16 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-6.9.legacy
- - CAN-2004-0918 security patch (snmp DoS)

* Fri Sep 10 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-5.9.legacy
- - CAN-2004-0832 security patch (malformed NTLMSSP packets crash NTLM helpers)

* Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-4.9.legacy
- - CAN-2004-0541 security patch (NTLM Authentication Helper Buffer Overflow)

Changelog fc1:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE3-2.fc1.3.legacy
- - Security patches for CAN-2005-0094, CAN-2005-0095, CAN-2005-0096,
  CAN-2005-0097, CAN-2005-0173, CAN-2005-0174, CAN-2005-0175,
  CAN-2005-0194, CAN-2005-0211, CAN-2005-0241

* Tue Oct 12 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.2.legacy
- - apply patch for CAN-2004-0918 bug #2150
- - group last patch under fedora legacy security updates

* Tue Oct 05 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.1.legacy
- - apply patch from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0832

7.3:
ac31751861e73b63e846dca6fab15268738aa43e  squid-2.4.STABLE7-0.73.1.legacy.i386.rpm
fe1f50aa76db2911b84036c44a5f51698cf12d7a  squid-2.4.STABLE7-0.73.1.legacy.src.rpm

9:
6f7e0d734636408c9821cc6356832a6449b8ed1b  squid-2.5.STABLE1-7.9.legacy.i386.rpm
aa9fd1f085673b8c33bacb71b2ea9357958a0a74  squid-2.5.STABLE1-7.9.legacy.src.rpm

fc1:
689a84a8f5253c34c935fdca8f58a764898c21dd  squid-2.5.STABLE3-2.fc1.3.legacy.i386.rpm
d111414894a5dcfc521261f16f7643cb3c87354e  squid-2.5.STABLE3-2.fc1.3.legacy.src.rpm


http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-7.9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-7.9.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.3.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCE8FKLMAs/0C4zNoRAiN+AJ9F8TRUAmjC7eC0gokH0rnAnc9RFACcD8JW
ul+fYv12LwtZqTEayi/Yw2M=
=L5sB
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-02-17 11:09:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes a bit noisy at times, but acceptable
 - verified the patches from upstream; a couple in RHL9 were renamed and had
minor differences, but appear to be OK.

+PUBLISH RHL73,RHL9,FC1

fe1f50aa76db2911b84036c44a5f51698cf12d7a  squid-2.4.STABLE7-0.73.1.legacy.src.rpm
aa9fd1f085673b8c33bacb71b2ea9357958a0a74  squid-2.5.STABLE1-7.9.legacy.src.rpm
d111414894a5dcfc521261f16f7643cb3c87354e  squid-2.5.STABLE3-2.fc1.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFQgIGHbTkzxSL7QRAkQ8AKCXYi5MhGFXg5b9VAl5QBMmaAuOcgCbBOAI
NA+5My11og3pXI13988UxR4=
=Bwt+
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-20 12:30:28 ----

Packages pushed to updates-testing



------- Additional Comments From marcdeslauriers 2005-03-19 11:41:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new squid packages to QA:

Changelog:
* Sat Mar 19 2005 Marc Deslauriers <marcdeslauriers>
7:2.4.STABLE7-0.73.2.legacy
- - Added security patch for CAN-2005-0446 taken from RHEL3
- - Added backported security patch for CAN-2005-0626

7.3:
5531efe9d4ab8e265d7fe79e8f3e013f4cc2913a  squid-2.4.STABLE7-0.73.2.legacy.i386.rpm
edefe80878fe0cc4b14787134197bbc57d46212f  squid-2.4.STABLE7-0.73.2.legacy.src.rpm

9:
d4e688a366a9a0e1c951da52f9b994cfb4209f2a  squid-2.5.STABLE1-9.9.legacy.i386.rpm
eb74c7bc83e0042719da92d47c6cb0902b160128  squid-2.5.STABLE1-9.9.legacy.src.rpm

1:
1acfbce9a6221abac6a3e51aa124e19de3df7fde  squid-2.5.STABLE3-2.fc1.5.legacy.i386.rpm
dab926549b985d8d677b4731b463afdfa00c8a74  squid-2.5.STABLE3-2.fc1.5.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.9.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.5.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCPJwjLMAs/0C4zNoRAp9UAJ9BmzuTEPmy7X9ZTRx8zpJ4bdoLdQCgsxqh
i40zh+DW10hcNQN0uFvjYrY=
=JrIo
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-19 11:43:31 ----

A bug was found in the way Squid handles FQDN lookups. It was possible
to crash the Squid server by sending a carefully crafted DNS response to
an FQDN lookup. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. 

https://rhn.redhat.com/errata/RHSA-2005-173.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0446

05.10.28 CVE: CAN-2005-0626
Platform: Cross Platform
Title: Squid Proxy Set-Cookie Information Disclosure
Description: Squid is web proxy software. It is affected by a remote
information disclosure problem. The issue presents itself when the
requested server employs the Netscape "Set-Cookie" specifications.
Squid Proxy versions 2.5 STABLE7 through version 2.5 STABLE9 are
affected.
Ref: http://www.securityfocus.com/advisories/8208



------- Additional Comments From marcdeslauriers 2005-03-19 11:44:44 ----

*** Bug 2446 has been marked as a duplicate of this bug. ***



------- Additional Comments From pekkas 2005-03-19 13:42:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - the dns_assert patch verified to come from upstream,
   the setcookie patch verified to be correct w/ Ubuntu's patch

I noted that the RHEL3 version has requires: linuxdoc-tools which this one
does not have, but as it compiles fine, this is OK I think.

+PUBLISH RHL73,RHL9,FC1

edefe80878fe0cc4b14787134197bbc57d46212f  squid-2.4.STABLE7-0.73.2.legacy.src.rpm
eb74c7bc83e0042719da92d47c6cb0902b160128  squid-2.5.STABLE1-9.9.legacy.src.rpm
dab926549b985d8d677b4731b463afdfa00c8a74  squid-2.5.STABLE3-2.fc1.5.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCPLiwGHbTkzxSL7QRAulyAJ9aP6Hgy/TwsyMX49yjpTplb2x4cQCgvcgU
7BK8yhTqa2oxmJpZV0im4w0=
=x8qA
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:28 -------

This bug previously known as bug 2150 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2150
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
7.3 patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=885

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Marc Deslauriers 2005-04-05 22:33:14 UTC
*** Bug 152778 has been marked as a duplicate of this bug. ***

Comment 2 Marc Deslauriers 2005-04-05 22:34:29 UTC
Packages were pushed to updates-testing.

Comment 3 Marc Deslauriers 2005-04-05 22:35:59 UTC
*** Bug 152733 has been marked as a duplicate of this bug. ***

Comment 4 John Dalbec 2005-05-13 20:49:00 UTC
05.19.16 CVE: Not Available
Platform: Unix
Title: Squid Proxy Unspecified DNS Spoofing
Description: Squid Proxy is a freely available, open source web proxy
software package. Squid Proxy is affected by an unspecified DNS
spoofing vulnerability. Squid Proxy versions 2.5 and earlier are known
to be vulnerable.
Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query 

Comment 5 John Dalbec 2005-06-10 14:19:34 UTC
(2) MODERATE: Multiple Vendor HTTP Request Smuggling
Affected:
Configurations involving a number of popular web proxy/cache servers and
web application firewalls

Description: A new attack technique named "HTTP Request Smuggling" has
been reported to affect configurations that involve one or more web
entities (i.e. a web proxy server, a web cache server or a web
application firewall) between a user and a web server. The attack can
be carried out by crafting back-to-back HTTP requests that are
interpreted differently by the web entities. For example, if an HTTP
request is crafted with two distinct HTTP "Content-Length" headers, the
two web entities may process the same request by honoring either the
first or the last "Content-Length" header. The discoverers have shown
how an attacker can exploit such behaviors by crafting HTTP requests
that may result in web cache poisoning, bypassing the web firewall,
cross-site scripting (requiring no user interaction) or session
hijacking. The vulnerable example configurations listed in the
discoverers' posting include Sun ONE proxy server, Sun ONE webserver,
CheckPoint Firewall, Microsoft IIS server, Microsoft ISA server, Apache,
Jakarta Tomcat server, IBM WebSphere, BEA WebLogic, Oracle9iAS, Squid,
Delegate and Oracle WebCache.

Status: Squid and CheckPoint have distributed patches. The status
regarding other vendors is not currently known.

Council Site Actions: Two council sites are still evaluating if they are
vulnerable. One site has already patched their system.

References:
Watchfire Whitepaper
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf  
SecurityFocus BID
http://www.securityfocus.com/bid/13873 

05.23.14 CVE: Not Available
Platform: Cross Platform
Title: Multiple Vendor Multiple HTTP Request Smuggling
Description: Multiple vendors are prone to a new class of attack named
"HTTP Request Smuggling". This class of attack basically revolves
around piggybacking a HTTP request inside of another HTTP request. By
leveraging failures to implement the HTTP/1.1 RFC properly, it is
demonstrated that this class of attack may result in cache poisoning,
cross-site scripting, session hijacking and other attacks. Reports
indicate that Microsoft IIS 5.0 is affected.
Ref: http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf 

Comment 6 John Dalbec 2005-09-21 14:26:47 UTC
05.37.15 CVE: CAN-2005-2794
Platform: Unix
Title: Squid Proxy Aborted Requests Remote Denial of Service
Description: Squid Proxy is a freely available, open source Web proxy
software package. A remote denial of service vulnerability affects the
Squid Proxy. This issue is due to a failure of the application to
properly handle exceptional network requests. A remote attacker may
leverage this issue to crash the affected Squid Proxy, denying service
to legitimate users.
Ref: http://www.securityfocus.com/bid/14761

Comment 7 Eric Jon Rostetter 2005-09-23 15:36:45 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
 
RHL 7.3 Packages: squid-2.4.STABLE7-0.73.2.legacy.i386.rpm
Checksums and signatures verify okay.
 
I installed the program without any problems.  After a long lerning curve
on how to configure it (I've never used squid before) I was acutally able
to make it work!  I tested some basic functionality, and it all worked
amazingly well.  I did NOT test the exact security problem (SNMP) but
rather tested ftp and http only. I uninstalled it without issue.
 
Vote for release for RHL 7.3. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDNCEG4jZRbknHoPIRAilTAJ4kmxOYn3Tj+BbqP9qp6SFKIvzvKgCgqqk/
xYXPjzS7OTUBj/26PcSjEFg=
=7Wdn
-----END PGP SIGNATURE-----


Comment 8 Eric Jon Rostetter 2005-09-23 15:50:17 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                                
++VERIFY for RHL 9
                                                                                
RHL 9 Packages: squid-2.5.STABLE1-9.9.legacy.i386.rpm
Checksums and signatures verify okay.
                                                                                
I installed the program without any problems.  Upon running, I got the
error messages:
                                                                                
init_cache_dir /var/spool/squid... /etc/rc.d/init.d/squid: line 162:  3604
Aborted                 $SQUID -z -F -D 2>/dev/null
Starting squid: /etc/rc.d/init.d/squid: line 162:  3605 Aborted
$SQUID $SQUID_OPTS 2>/dev/null
                                                           [FAILED]
 
Apparently it can't figure out my hostname.  I edited /etc/squid/squid.conf
and added the 'visible_hostname' to be my fully qualified host name.
After that, it started fine.  This is, I presume, a problem with my
machine setup and not a bug in squid per se.
 
Once configured and running, it worked fine as an HTTP proxy/accelerator.
I didn't test the SNMP functionality or bug fix; I just used it as an
HTTP proxy/accelerator.
 
Vote for release for RHL 9. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDNCQc4jZRbknHoPIRAo/gAKCDNfgnHeCMjT8PBhQHEDDvxKTarQCeLoHS
5JC2cVsq/ee+tu9Vc56n06c=
=Y6pF
-----END PGP SIGNATURE-----


Comment 9 Pekka Savola 2005-09-23 19:03:39 UTC
Thanks, timeouts in 2 weeks.

Comment 10 Pekka Savola 2005-10-08 05:18:12 UTC
Timeout over.

Comment 11 John Dalbec 2005-10-11 14:03:05 UTC
I've moved the vulnerabilities I reported post-updates-testing to Bug #170410 so
this bug can be closed when the packages are released.

Comment 12 David Eisenstein 2005-10-28 07:56:28 UTC
Created attachment 120495 [details]
Table of CVE's this bug ticket fixes & new CVE's for next one.

The attached table indicates all the CVE's I was able to determine that this
bug #152809 fixes for the 3 distros handled in this bug report, plus FC2.
"Y" in a row means that the CVE on that row is fixed for the distro in the
column.

This table also documents all of the CVE's I could find that are (or may be)
issues for our next Bug #170410 to fix.  These are the ones with the "N"
(meaning "no, not fixed here") for the distro/CVE's.  Some helpful links
(like to RHSA reports or upstream patches where useful) are also placed on
each row.

Hope this is helpful.

Comment 13 Marc Deslauriers 2005-11-18 00:35:33 UTC
I am not going to release the packages in updates-testing as they are seriously
out-of-date. Let's track the new issues in this bug.


Comment 14 Marc Deslauriers 2005-11-18 00:37:06 UTC
*** Bug 170410 has been marked as a duplicate of this bug. ***

Comment 15 Marc Deslauriers 2005-11-18 00:41:22 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new squid packages to QA:

rh7.3 Changelog:
* Wed Nov 16 2005 Marc Deslauriers <marcdeslauriers>
7:2.4.STABLE7-0.73.3.legacy
- - Added security patches for CVE-2005-0718, CVE-1999-0710, CVE-2005-1519,
  CVE-2004-2479 and CVE-2005-2794
- - Update the permissions on /etc/squid/squid.conf to prevent
  unauthorized viewing of potential plaintext passwords

rh9 changelog:
* Wed Nov 16 2005 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-9.10.legacy
- - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710,
  CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917
- - Update the permissions on /etc/squid/squid.conf to prevent
  unauthorized viewing of potential plaintext passwords

fc1 changelog:
* Tue Nov 15 2005 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE3-2.fc1.6.legacy
- - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710,
  CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917
- - Update the permissions on /etc/squid/squid.conf to prevent
  unauthorized viewing of potential plaintext passwords

fc2 changelog:
* Tue Nov 15 2005 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE9-1.FC3.3.legacy
- - Added security patches for CVE-1999-0710, CVE-2005-1519, CVE-2005-2794,
  CVE-2005-2796 and CVE-2005-2917


rh7.3:
7f2ecd2112c5be2b30e3561fbf51e42ef57d3301 
7.3/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm
2dbcf936b058ecb5eac61b9c584402faf1aee9b2 
7.3/squid-2.4.STABLE7-0.73.3.legacy.src.rpm

rh9:
f60363c2614c4ef99db6e9084a965819c6b76a17  9/squid-2.5.STABLE1-9.10.legacy.i386.rpm
5185c13f38ee196eb37392e6ac2500a3e67faa71  9/squid-2.5.STABLE1-9.10.legacy.src.rpm

fc1:
64e1464f0448299157b799c9c387c4d6de549b5f 
1/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm
5b41bae1eaf97ea444209ca8940d83ad05c10eae  1/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm

fc2:
e03ee3e4ff5a8c9ea70e49e0fb551703d7194f8c 
2/squid-2.5.STABLE9-1.FC2.3.legacy.i386.rpm
8f238269d9391da661aabfafaed08e39f1164c3b  2/squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm

Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.10.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm

Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/
http://www.infostrategique.com/linuxrpms/legacy/9/
http://www.infostrategique.com/linuxrpms/legacy/1/
http://www.infostrategique.com/linuxrpms/legacy/2/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfSJoLMAs/0C4zNoRAgWuAJ9uO7hRiCsUr1dy+XBRYxODbOQChgCgmsiW
FIeN6tShS1rc6/NIFlr3lEI=
=9jaQ
-----END PGP SIGNATURE-----


Comment 16 Pekka Savola 2005-11-19 17:26:16 UTC
Argh.  Squid is a pain in the ass.  I just spent an hour trying to verify these
for correctness, but the patches were so difficult to figure out that I gave up.

What I was easily able to check was that RHL73 and FC1 corresponded to the RHEL
packages, and patches were except for the NTLM-assert patch which RHEL doesn't
ship (yet).  FC1 and RHL9 also appeared to have the same patches, though
contents were somewhat different.  I couldn't figure out why FC2 seemed to be
missing  ssl-diff, connect, connect_truncated (3/4 of CVE-2005-2796) and dothost
(-2004-2479) patches.  RHEL also had included
squid-2.5.STABLE10-statHistAssert.patch but that isn't an urgent update so
leaving it out is OK.  

I'm not sure how we could continue here without wasting significant amount of
energy.  Perhaps RHL9 squid should be upgraded to the same version as FC1 to
make it easier to ship both together and align with RHEL, or something.


Comment 17 Marc Deslauriers 2005-11-19 19:02:57 UTC
The sslConnectTimeout patch applies directly to the squid version used in FC2
and completely fixes CVE-2005-2796. The ssl-diff, connect and connect_truncated
patches were made by RedHat to update the version of the ssl.c file in older
squid releases to a version that can be patched by sslConnectTimeout.

The dothost patch is already included upstream in squid-2.5.STABLE10.

Upgrading versions is not in line with Legacy's guidelines. There are zillions
of patches to QA because we havn't kept up with squid releases.

Comment 18 Pekka Savola 2005-11-19 19:45:12 UTC
But FC2 has STABLE9, not STABLE10?

Comment 19 Marc Deslauriers 2005-11-19 21:18:41 UTC
oups, sorry, I meant "already included upstream in squid-2.5.STABLE9", so it is
already included in fc2.

Comment 20 David Eisenstein 2005-11-21 01:26:04 UTC
Created attachment 121285 [details]
Updated bug-sheet.  (.sxc format, OpenOffice.org)

Was just wondering, there are a number of CVE's identified in the table in
attachment 120495 [details] that are not listed in your Changelogs, Marc.  (I haven't
looked at anything but the changelogs from comment 15 so far.)	Were these not
fixed?

In this new attachment, all cells with an "N" marked in green are CVE's that
are marked fixed in the changelogs.  Cells marked in red are those that I am
concerned about:

  RH7.3:  CVE-2005-1345, CVE-2005-2917, CVE-2005-3258
  RH9  :				CVE-2005-3258
  FC1  :				CVE-2005-3258
  FC2  :  CVE-2004-2479,		CVE-2005-3258

CVE-2005-3258 is apparently considered major severity by the Squid folks.
<http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape>


Thanks.

Comment 21 David Eisenstein 2005-11-21 01:52:00 UTC
Created attachment 121286 [details]
Corrected Updated bug-sheet. (.sxc format, OpenOffice.org)

Oops.  I made the same mistake as Pekka.  I now see that CVE-2004-2479 was a
patch in squid-2.5.STABLE7, so was included in squid-2.5.STABLE8 and later, so
is not a concern in FC2.

Corrected table attached.  Sorry 'bout that.

Comment 22 Marc Deslauriers 2005-11-21 04:24:33 UTC
the CVE-2005-3258 patch was for a bug introduced in the
squid-2.5.STABLE10-ftp_basehref.patch which we don't use, so we're not
vulnerable to that issue.

CVE-2005-2917 only applies to NTFS authentication, which the squid version in
rh7.3 doesn't support.

CVE-2005-1345 was not fixed in squid-2.4 from RHEL21, so I didn't fix it in
rh7.3's squid-2.4. Maybe this needs further investigation.

Comment 23 David Eisenstein 2005-11-21 05:50:31 UTC
Created attachment 121287 [details]
Yet better bug-sheet. (.sxc format, OpenOffice.org)

Thanks, Marc.  Like Visine, you got the red out.

Comment 24 Marc Deslauriers 2005-11-26 05:58:00 UTC
Think you could check these out again Pekka?

Comment 25 Pekka Savola 2005-11-26 07:25:13 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - the patches verified against RHEL, and in FC2 and for NTLM auth
   against upstream.  I did NOT verify Marc's analysis on which patches
   are (not) needed on which platform, so I assume it's OK.

+PUBLISH RHL73, RHL9, FC1, FC2

2dbcf936b058ecb5eac61b9c584402faf1aee9b2  squid-2.4.STABLE7-0.73.3.legacy.src.rpm
5185c13f38ee196eb37392e6ac2500a3e67faa71  squid-2.5.STABLE1-9.10.legacy.src.rpm
5b41bae1eaf97ea444209ca8940d83ad05c10eae  squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm
8f238269d9391da661aabfafaed08e39f1164c3b  squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDiA6AGHbTkzxSL7QRAmNbAJ48Lj21L7t6mYE+2pJyqZehDWqcIgCdHqf6
jMeWRAtoBqs0pk6GXyBmSxk=
=Jv2c
-----END PGP SIGNATURE-----


Comment 26 Marc Deslauriers 2005-11-26 14:36:30 UTC
Cool. Thanks Pekka!

Comment 27 Marc Deslauriers 2005-11-29 00:03:09 UTC
Packages were pushed to updates-testing.

Comment 28 Pekka Savola 2006-02-14 06:31:44 UTC
New policy: automatic accept after two weeks if no negative feedback.


Comment 29 Donald Maner 2006-02-16 17:55:08 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

2dbcf936b058ecb5eac61b9c584402faf1aee9b2  squid-2.4.STABLE7-0.73.3.legacy.src.rpm
5185c13f38ee196eb37392e6ac2500a3e67faa71  squid-2.5.STABLE1-9.10.legacy.src.rpm
5b41bae1eaf97ea444209ca8940d83ad05c10eae  squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm
8f238269d9391da661aabfafaed08e39f1164c3b  squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm

Installed with yum, edited the squid conf to add visible_hostname and correct
access ACL.

Browsed with http and https, and downloaded files using ftp.  Executed files
downloaded
through FTP.  All were successful.  Verified usage in squid.log.

+VERIFY rh73,rh9,fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFD9L1LpxMPKJzn2lIRAoCyAJwIaqCokJMyBwNzlQXEc70SxYCacACfY2fZ
HvGmQxjTIQFIEJUchMHuq3w=
=GdSp
-----END PGP SIGNATURE-----

Comment 30 Pekka Savola 2006-02-16 18:09:14 UTC
Mmm, there may be a terminology error.  You're referring to src.rpm's, which you
probably couldn't install :-).  I guess you installed the binary versions in the
updates-testing directory?  Which OS versions did you test?

Comment 31 Donald Maner 2006-02-16 18:22:41 UTC
Whoops.  Bad cut'n'paste.  I DID qa the .rpms that were in updates-testing for
each release.

Comment 32 Pekka Savola 2006-02-16 18:25:28 UTC
You have access to every released architecture?  That's impressive -- thanks!

Comment 33 Marc Deslauriers 2006-02-18 19:14:17 UTC
Packages were released to updates.

Comment 34 Marc Deslauriers 2008-08-02 20:16:37 UTC
The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was:

Squid  Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CVE-2005-2917)