Bug 146161 - CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175)
CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: squid (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Jay Fenlason
David Lawrence
impact=important,public=20050125
: Security
: 156699 156704 (view as bug list)
Depends On:
Blocks: 142822
  Show dependency treegraph
 
Reported: 2005-01-25 13:53 EST by Josh Bressers
Modified: 2014-08-31 19:27 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-15 04:37:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-01-25 13:53:45 EST
*** This bug has been split off bug 146159 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.01.25
13:46 -------

These issues were reported to vendor-sec

--------------------------------------------------------------------------
Sanity check usernames in squid_ldap_auth

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces

Synopsis:
LDAP is very forgiving about spaces in search filters and this could
be abused to log in using several variants of the login name, possibly
bypassing explicit access controls or confusing accounting

severity:   Minor Secuity issue
date:       2005-01-17 04:29
bugzilla:   http://www.squid-cache.org/bugs/show_bug.cgi?id=1187
versions:   Squid-2.5 and earlier
platforms:  All
patch:     
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch
Workaround: Block logins with spaces
              acl login_with_spaces proxy_auth_regex [:space:]
              http_access deny login_with_spaces

--------------------------------------------------------------------------

Reject malformed HTTP requests and responses that conflict with the HTTP
specifications

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing

Synopsis:
This patch makes Squid considerably stricter while parsing the HTTP
protocol.
1. A Content-length header should only appear once in a valid request
   or response. Multiple Content-length headers, in conjunction with
   specially crafted requests, may allow Squid's cache to be poisioned
   with bad content in certain situations.
2. CR characters is only allowed as part of the CR NL line terminator,
   not alone. This to ensure that all involved agrees on the structure
   of HTTP headers.
3. Rejects requests/responses that have whitespace in an HTTP header
   name.
The patch also adds a new relaxed_header_parser directive which
defaults to on. If set off Squid will become really strict about CR
characters and whitespace in header names, while in the default on
setting Squid will ignore (and automatically clean up) common
deviations from these parts of the HTTP specification.

severity: Security issue
date:        2005-01-25 13:37
versions:    Squid-2.5 and earlier
platforms:   All
patch:      
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-header_parsing.patch
workaround:  Disable client- and server-side persistent connections.
             This will limit the impact of mismatches in HTTP protocol
             parsing somewhat, but not fully.

--------------------------------------------------------------------------

Strengthen Squid from HTTP response splitting cache pollution attack

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting

Synopsis:
This patch additionaly strengthens Squid from the HTTP response
splitting cache pollution attack described by Sanctum.

severity     Security issue
date         2005-01-21 12:43
bugzilla     http://www.squid-cache.org/bugs/show_bug.cgi?id=1200
versions     Squid-2.5 and earlier
platforms:   All
patch:      
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-response_splitting.patch

--------------------------------------------------------------------------
Comment 1 Josh Bressers 2005-01-28 07:35:46 EST
CAN-2005-0173 Sanity check usernames in squid_ldap_auth

CAN-2005-0174 Reject malformed HTTP requests and responses that conflict with
the HTTP specifications

CAN-2005-0175 Strengthen Squid from HTTP response splitting cache pollution attack
Comment 2 Mark J. Cox (Product Security) 2005-02-15 04:37:49 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-060.html
Comment 3 Josh Bressers 2005-05-06 11:34:52 EDT
*** Bug 156699 has been marked as a duplicate of this bug. ***
Comment 4 Josh Bressers 2005-05-06 11:35:41 EDT
*** Bug 156704 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.