*** This bug has been split off bug 146159 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.25 13:46 ------- These issues were reported to vendor-sec -------------------------------------------------------------------------- Sanity check usernames in squid_ldap_auth http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces Synopsis: LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting severity: Minor Secuity issue date: 2005-01-17 04:29 bugzilla: http://www.squid-cache.org/bugs/show_bug.cgi?id=1187 versions: Squid-2.5 and earlier platforms: All patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch Workaround: Block logins with spaces acl login_with_spaces proxy_auth_regex [:space:] http_access deny login_with_spaces -------------------------------------------------------------------------- Reject malformed HTTP requests and responses that conflict with the HTTP specifications http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing Synopsis: This patch makes Squid considerably stricter while parsing the HTTP protocol. 1. A Content-length header should only appear once in a valid request or response. Multiple Content-length headers, in conjunction with specially crafted requests, may allow Squid's cache to be poisioned with bad content in certain situations. 2. CR characters is only allowed as part of the CR NL line terminator, not alone. This to ensure that all involved agrees on the structure of HTTP headers. 3. Rejects requests/responses that have whitespace in an HTTP header name. The patch also adds a new relaxed_header_parser directive which defaults to on. If set off Squid will become really strict about CR characters and whitespace in header names, while in the default on setting Squid will ignore (and automatically clean up) common deviations from these parts of the HTTP specification. severity: Security issue date: 2005-01-25 13:37 versions: Squid-2.5 and earlier platforms: All patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-header_parsing.patch workaround: Disable client- and server-side persistent connections. This will limit the impact of mismatches in HTTP protocol parsing somewhat, but not fully. -------------------------------------------------------------------------- Strengthen Squid from HTTP response splitting cache pollution attack http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting Synopsis: This patch additionaly strengthens Squid from the HTTP response splitting cache pollution attack described by Sanctum. severity Security issue date 2005-01-21 12:43 bugzilla http://www.squid-cache.org/bugs/show_bug.cgi?id=1200 versions Squid-2.5 and earlier platforms: All patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-response_splitting.patch --------------------------------------------------------------------------
CAN-2005-0173 Sanity check usernames in squid_ldap_auth CAN-2005-0174 Reject malformed HTTP requests and responses that conflict with the HTTP specifications CAN-2005-0175 Strengthen Squid from HTTP response splitting cache pollution attack
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-060.html
*** Bug 156699 has been marked as a duplicate of this bug. ***
*** Bug 156704 has been marked as a duplicate of this bug. ***