Bug 146159 - CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175)
Summary: CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175)
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: squid   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jay Fenlason
QA Contact:
Whiteboard: impact=important,public=20050125
Keywords: Security
: 147697 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-25 18:46 UTC by Josh Bressers
Modified: 2014-08-31 23:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-11 13:49:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:061 normal SHIPPED_LIVE Important: squid security update 2005-02-11 05:00:00 UTC

Description Josh Bressers 2005-01-25 18:46:45 UTC
These issues were reported to vendor-sec

Sanity check usernames in squid_ldap_auth


LDAP is very forgiving about spaces in search filters and this could
be abused to log in using several variants of the login name, possibly
bypassing explicit access controls or confusing accounting

severity:   Minor Secuity issue
date:       2005-01-17 04:29
bugzilla:   http://www.squid-cache.org/bugs/show_bug.cgi?id=1187
versions:   Squid-2.5 and earlier
platforms:  All
Workaround: Block logins with spaces
              acl login_with_spaces proxy_auth_regex [:space:]
              http_access deny login_with_spaces


Reject malformed HTTP requests and responses that conflict with the HTTP


This patch makes Squid considerably stricter while parsing the HTTP
1. A Content-length header should only appear once in a valid request
   or response. Multiple Content-length headers, in conjunction with
   specially crafted requests, may allow Squid's cache to be poisioned
   with bad content in certain situations.
2. CR characters is only allowed as part of the CR NL line terminator,
   not alone. This to ensure that all involved agrees on the structure
   of HTTP headers.
3. Rejects requests/responses that have whitespace in an HTTP header
The patch also adds a new relaxed_header_parser directive which
defaults to on. If set off Squid will become really strict about CR
characters and whitespace in header names, while in the default on
setting Squid will ignore (and automatically clean up) common
deviations from these parts of the HTTP specification.

severity: Security issue
date:        2005-01-25 13:37
versions:    Squid-2.5 and earlier
platforms:   All
workaround:  Disable client- and server-side persistent connections.
             This will limit the impact of mismatches in HTTP protocol
             parsing somewhat, but not fully.


Strengthen Squid from HTTP response splitting cache pollution attack


This patch additionaly strengthens Squid from the HTTP response
splitting cache pollution attack described by Sanctum.

severity     Security issue
date         2005-01-21 12:43
bugzilla     http://www.squid-cache.org/bugs/show_bug.cgi?id=1200
versions     Squid-2.5 and earlier
platforms:   All


Comment 1 Josh Bressers 2005-01-25 18:49:32 UTC
These issues should also affect RHEL2.1

Comment 2 Josh Bressers 2005-01-28 13:04:49 UTC
CAN-2005-0173 Sanity check usernames in squid_ldap_auth

CAN-2005-0174 Reject malformed HTTP requests and responses that conflict with
the HTTP specifications

CAN-2005-0175 Strengthen Squid from HTTP response splitting cache pollution attack

Comment 3 Jay Fenlason 2005-02-10 19:01:26 UTC
*** Bug 147697 has been marked as a duplicate of this bug. ***

Comment 4 Josh Bressers 2005-02-11 13:49:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.