Bug 146160 - Multiple squid issues
Multiple squid issues
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Jay Fenlason
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-01-25 13:53 EST by Josh Bressers
Modified: 2014-08-31 19:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-03-18 04:39:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-01-25 13:53:24 EST
*** This bug has been split off bug 146159 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.01.25
13:46 -------

These issues were reported to vendor-sec

Sanity check usernames in squid_ldap_auth


LDAP is very forgiving about spaces in search filters and this could
be abused to log in using several variants of the login name, possibly
bypassing explicit access controls or confusing accounting

severity:   Minor Secuity issue
date:       2005-01-17 04:29
bugzilla:   http://www.squid-cache.org/bugs/show_bug.cgi?id=1187
versions:   Squid-2.5 and earlier
platforms:  All
Workaround: Block logins with spaces
              acl login_with_spaces proxy_auth_regex [:space:]
              http_access deny login_with_spaces


Reject malformed HTTP requests and responses that conflict with the HTTP


This patch makes Squid considerably stricter while parsing the HTTP
1. A Content-length header should only appear once in a valid request
   or response. Multiple Content-length headers, in conjunction with
   specially crafted requests, may allow Squid's cache to be poisioned
   with bad content in certain situations.
2. CR characters is only allowed as part of the CR NL line terminator,
   not alone. This to ensure that all involved agrees on the structure
   of HTTP headers.
3. Rejects requests/responses that have whitespace in an HTTP header
The patch also adds a new relaxed_header_parser directive which
defaults to on. If set off Squid will become really strict about CR
characters and whitespace in header names, while in the default on
setting Squid will ignore (and automatically clean up) common
deviations from these parts of the HTTP specification.

severity: Security issue
date:        2005-01-25 13:37
versions:    Squid-2.5 and earlier
platforms:   All
workaround:  Disable client- and server-side persistent connections.
             This will limit the impact of mismatches in HTTP protocol
             parsing somewhat, but not fully.


Strengthen Squid from HTTP response splitting cache pollution attack


This patch additionaly strengthens Squid from the HTTP response
splitting cache pollution attack described by Sanctum.

severity     Security issue
date         2005-01-21 12:43
bugzilla     http://www.squid-cache.org/bugs/show_bug.cgi?id=1200
versions     Squid-2.5 and earlier
platforms:   All

Comment 1 Josh Bressers 2005-01-25 13:54:10 EST
This issue should also affect FC2.
Comment 2 Mark J. Cox 2005-03-18 04:39:48 EST
FEDORA-2005-105 and FEDORA-2005-106

Note You need to log in before you can comment on or make changes to this bug.