iDEFENSE reported on 2004-10-11 a vulnerability in the squid SNMP module. This issue could lead to a potential DOS (it will restart the server, dropping all open connections). http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135320 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135319 ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-11 19:30:05 ---- Patch available here: http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump ------- Additional Comments From rob.myers.edu 2004-10-12 05:35:39 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages to QA for FC1: changelog: * Tue Oct 12 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.2.legacy - - apply patch for CAN-2004-0918 bug #2150 - - group last patch under fedora legacy security updates * Tue Oct 05 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.1.legacy - - apply patch from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0541 * Mon Jun 07 2004 Jay Fenlason <fenlason> 7:2.5.STABLE3-2.fc1 - - Backport patch for CAN-2004-0541: buffer overflow in ntlm auth helper. e1b12fb4c1ff6475b7d536e16e3eb117e392d7c7 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-2.5.STABLE3-2.fc1.2.legacy.src.rpm 4ed87eab384871e59a22ce0292637fe45930f9c3 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-2.5.STABLE3-2.fc1.2.legacy.i386.rpm ae53c32e6b0a1105ec444143536f159a11839124 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-debuginfo-2.5.STABLE3-2.fc1.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBa/khtU2XAt1OWnsRAtSpAKDIGkqZuxS5LOH46vafpuSbzyFIwgCeO8uw A/ieXFd1K22u+GKuk+Wqj30= =etE0 -----END PGP SIGNATURE----- ------- Additional Comments From simon 2004-10-14 10:17:14 ---- Created an attachment (id=885) 7.3 patch Here's a patch for squid-2.4.STABLE6 for redhat 7.3 Packages to follow shortly. - Si ------- Additional Comments From simon 2004-10-14 10:26:01 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test packages for 7.3. %changelog * Thu Oct 14 2004 Simon Weller <simon> - - added patch to address asn_parse_header() DOS (CAN-2004-0918) ftp://potelweller.com/fedora_legacy/testing/squid-2.4.STABLE6-6.7.4.7.x.legacy.i386.rpm ftp://potelweller.com/fedora_legacy/testing/squid-2.4.STABLE6-6.7.4.7.x.legacy.src.rpm sha1sum: 120e20f466423a28a5bb3db208ba3794b17af1d7 *squid-2.4.STABLE6-6.7.4.7.x.legacy.i386.rpm e2bf5c3cc1681ab9adae3fef6852717512b7801f *squid-2.4.STABLE6-6.7.4.7.x.legacy.src.rpm - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBbuCvMLOCzgCQslsRAr7hAJ9+2P8Yi2Otr1x4CzzT93fHunsofgCglJG9 5KNpLijyBBk5+alBmMbMDKs= =gCn6 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-16 05:58:31 ---- This bug supercedes bug 2053 ------- Additional Comments From marcdeslauriers 2004-10-16 06:01:58 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the fc1 squid package: e1b12fb4c1ff6475b7d536e16e3eb117e392d7c7 squid-2.5.STABLE3-2.fc1.2.legacy.src.rpm - - Sources match last release - - Spec file looks good - - Patch for CAN-2004-0541 is present - - Patch for CAN-2004-0832 is present (Changelog references wrong CAN number) - - Patch for CAN-2004-0918 is present - - Builds, installs and runs +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBcUYVLMAs/0C4zNoRAgo6AJ4i0O0qwo0tzhzUngJQGfHiQyDmigCgvjXF dG1RrgA8e27lSX9aZRhm188= =oD/f -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-16 06:19:10 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the rh73 squid package: e2bf5c3cc1681ab9adae3fef6852717512b7801f squid-2.4.STABLE6-6.7.4.7.x.legacy.src.rpm - - Sources match last release - - Spec file looks good - - Patch for CAN-2004-0541 is not needed - - Patch for CAN-2004-0832 is not needed - - Patch for CAN-2004-0918 is present and looks good - - Builds, installs and runs +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBcUoiLMAs/0C4zNoRAgLdAJ0RCu7Er4CddmfR847QZph2rL74FwCgvqy1 IxiVkj6eIlWiSijyhcx5mCY= =Tnej -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-16 07:29:02 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updates packages for rh9: Changelog: * Sat Oct 16 2004 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-6.9.legacy - - CAN-2004-0918 security patch (snmp DoS) * Fri Sep 10 2004 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-5.9.legacy - - CAN-2004-0832 security patch (malformed NTLMSSP packets crash NTLM helpers) * Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-4.9.legacy - - CAN-2004-0541 security patch (NTLM Authentication Helper Buffer Overflow) ba74736311c002f17dda452ec49ad18654f07db2 squid-2.5.STABLE1-6.9.legacy.i386.rpm 4757903683ff3d1afff604807f307073a963baa4 squid-2.5.STABLE1-6.9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-6.9.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-6.9.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBcVpyLMAs/0C4zNoRAlRoAJ0dN5JKYrC5G34znKtipqXZJUX0LwCfdNbO 0zO8gpzxThrS8Rl5SixLruk= =YAY3 -----END PGP SIGNATURE----- ------- Additional Comments From josh.kayse.edu 2004-10-18 08:56:59 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: e1b12fb4c1ff6475b7d536e16e3eb117e392d7c7 squid-2.5.STABLE3-2.fc1.2.legacy.src.rpm - - source identical to squid-2.5.STABLE3-0.src.rpm from mirrors.kernel.org - - spec file looks good - - patch files are good - - builds cleanly - - installs clean - - runs ok + PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBdBHrwnUFCSDmt7ERAkFKAJwMrHCLqOdBRGnTZHPTUzrTHN2HXwCeI3ET KjyabP7eLNdcSp1vA0F4sKc= =CKUJ -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-10-20 10:31:57 ---- https://rhn.redhat.com/errata/RHSA-2004-591.html ------- Additional Comments From jpdalbec 2004-12-13 12:29:57 ---- 04.49.15 CVE: Not Available Platform: Unix Title: Squid Proxy Failed DNS Lookup Information Disclosure Description: Squid is a web proxy software package. It is reported to be vulnerable to an information disclosure issue. The issue presents itself when it processes a sequence of failed DNS lookup requests, and returns random error messages to the user. Squid versions 2.5 and earlier are reported to be vulnerable. Ref: http://secunia.com/advisories/13408/ ------- Additional Comments From pekkas 2004-12-21 06:29:36 ---- I have not yet seen any vendor even been reported of the latest problem (nothing in RH bugzilla, or debian, nothing on bugtraq), but it does not seem to be severe. Patch at: http://www.squid-cache.org/bugs/attachment.cgi?id=523&action=view .. though we could possibly also go forward without it, if folks think that would be acceptable (as FC1 and RHL73 has been QA'd already). ------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-06 22:46:17 ---- Another minor security problem is found. http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls >The meaning of the access controls becomes somewhat confusing if any of the referenced acls is declared empty, without any members. Patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch ------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-12 22:28:02 ---- Another new problems were found. One of them is "Denial of service with forged WCCP messages". Advisory: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service Patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch And the other is "buffer overflow bug in gopherToHTML()". Advisory: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing Patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch Additionally Secunia announced "NTLM fakeauth_auth Helper Denial of Service" at http://secunia.com/advisories/13789/ . Advisory: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth Patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch But last bug is not marked security problem in squid website. ------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-23 22:20:04 ---- >#14 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0094 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0095 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0096 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0097 Red Hat Buzaill: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145543 ------- Additional Comments From fedora-legacy-bugzilla-2004 2005-01-23 22:20:51 ---- Additionally, another two security patches have been released. "Strengthen Squid from HTTP response splitting cache pollution attack" Advisory: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting Patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-response_splitting.patch "Sanity check usernames in squid_ldap_auth" Advisory: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces Patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch ------- Additional Comments From marcdeslauriers 2005-02-04 20:04:42 ---- * Buffer overflow when handling WCCP recvfrom() (CAN-2005-0211). * Loose checking of HTTP headers (CAN-2005-0173 and CAN-2005-0174). * Incorrect handling of LDAP login names with spaces (CAN-2005-0175). ------- Additional Comments From marcdeslauriers 2005-02-04 20:08:28 ---- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146787 CAN-2005-0194 Empty proxy_auth ACLs are silently accepted but lead to unpredictable ACL matching ------- Additional Comments From marcdeslauriers 2005-02-10 13:31:41 ---- CAN-2005-0241 The httpProcessReplyHeader function in Squid 2.5-STABLE7 and earlier does not properly set the debug context when it is handling "oversized" HTTP reply headers. The impact is unknown. ------- Additional Comments From pekkas 2005-02-15 22:44:03 ---- RHEL patches available now from: https://rhn.redhat.com/errata/RHSA-2005-061.html ------- Additional Comments From marcdeslauriers 2005-02-16 11:54:12 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated squid packages to QA: Changelog 7.3: * Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.4.STABLE7-0.73.1.legacy - - Rebuilt as Fedora Legacy security update for Red Hat Linux 7.3 * Tue Feb 01 2005 Jay Fenlason <fenlason> - - Two more security fixes: * CAN-2005-0211 bz#146777 buffer overflow in wccp recvfrom() call * bz#146780 correct handling of oversize reply headers * Mon Jan 31 2005 Jay Fenlason <fenlason> - - Change the squid user's login shell to /sbin/nologin * Mon Jan 31 2005 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as.3 - - Don't include the 0-length files created by patch in the errors directory. * Fri Jan 28 2005 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as.2 - - Backport three more security fixes to close bz#146159 - - Also backport the -reply_header_max_size patch - - Reorganize this spec file to apply upstream patches first. * Thu Jan 20 2005 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as.1 - - Backport fixes for CAN-2005-0094 (remote DOS in parsing malformed Gopher messages). and CAN-2005-0095 (remote DOS in parsing malformed wccp messages). - - This version of squid is not vulnerable to CAN-2005-0096 and CAN-2005-0097 because it does not contain the ntlm_auth helper. * Tue Oct 12 2004 Jay Fenlason <fenlason> 7:2.4.STABLE7-1.21as - - Backport SNMP_core_dump patch from 2.5.STABLE6 to fix CAN-2004-0918 (Remote DoS) * Mon Jun 21 2004 Jay Fenlason <fenlason> 7:2.4.STABLE7-0.21as - - bump to 2.4.STABLE7 to pick up all the post STABLE6 patches - - Include the three upstream patches to 2.4.STABLE7 - - Add the forward_retries one-line patch for bugzilla #120849 Changelog 9: * Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-7.9.legacy - - Security patches for CAN-2005-0094, CAN-2005-0095, CAN-2005-0096, CAN-2005-0097, CAN-2005-0173, CAN-2005-0174, CAN-2005-0175, CAN-2005-0194, CAN-2005-0211, CAN-2005-0241 * Sat Oct 16 2004 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-6.9.legacy - - CAN-2004-0918 security patch (snmp DoS) * Fri Sep 10 2004 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-5.9.legacy - - CAN-2004-0832 security patch (malformed NTLMSSP packets crash NTLM helpers) * Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-4.9.legacy - - CAN-2004-0541 security patch (NTLM Authentication Helper Buffer Overflow) Changelog fc1: * Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE3-2.fc1.3.legacy - - Security patches for CAN-2005-0094, CAN-2005-0095, CAN-2005-0096, CAN-2005-0097, CAN-2005-0173, CAN-2005-0174, CAN-2005-0175, CAN-2005-0194, CAN-2005-0211, CAN-2005-0241 * Tue Oct 12 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.2.legacy - - apply patch for CAN-2004-0918 bug #2150 - - group last patch under fedora legacy security updates * Tue Oct 05 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.1.legacy - - apply patch from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0832 7.3: ac31751861e73b63e846dca6fab15268738aa43e squid-2.4.STABLE7-0.73.1.legacy.i386.rpm fe1f50aa76db2911b84036c44a5f51698cf12d7a squid-2.4.STABLE7-0.73.1.legacy.src.rpm 9: 6f7e0d734636408c9821cc6356832a6449b8ed1b squid-2.5.STABLE1-7.9.legacy.i386.rpm aa9fd1f085673b8c33bacb71b2ea9357958a0a74 squid-2.5.STABLE1-7.9.legacy.src.rpm fc1: 689a84a8f5253c34c935fdca8f58a764898c21dd squid-2.5.STABLE3-2.fc1.3.legacy.i386.rpm d111414894a5dcfc521261f16f7643cb3c87354e squid-2.5.STABLE3-2.fc1.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-7.9.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-7.9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCE8FKLMAs/0C4zNoRAiN+AJ9F8TRUAmjC7eC0gokH0rnAnc9RFACcD8JW ul+fYv12LwtZqTEayi/Yw2M= =L5sB -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-17 11:09:55 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity OK - spec file changes a bit noisy at times, but acceptable - verified the patches from upstream; a couple in RHL9 were renamed and had minor differences, but appear to be OK. +PUBLISH RHL73,RHL9,FC1 fe1f50aa76db2911b84036c44a5f51698cf12d7a squid-2.4.STABLE7-0.73.1.legacy.src.rpm aa9fd1f085673b8c33bacb71b2ea9357958a0a74 squid-2.5.STABLE1-7.9.legacy.src.rpm d111414894a5dcfc521261f16f7643cb3c87354e squid-2.5.STABLE3-2.fc1.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCFQgIGHbTkzxSL7QRAkQ8AKCXYi5MhGFXg5b9VAl5QBMmaAuOcgCbBOAI NA+5My11og3pXI13988UxR4= =Bwt+ -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-20 12:30:28 ---- Packages pushed to updates-testing ------- Additional Comments From marcdeslauriers 2005-03-19 11:41:39 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are new squid packages to QA: Changelog: * Sat Mar 19 2005 Marc Deslauriers <marcdeslauriers> 7:2.4.STABLE7-0.73.2.legacy - - Added security patch for CAN-2005-0446 taken from RHEL3 - - Added backported security patch for CAN-2005-0626 7.3: 5531efe9d4ab8e265d7fe79e8f3e013f4cc2913a squid-2.4.STABLE7-0.73.2.legacy.i386.rpm edefe80878fe0cc4b14787134197bbc57d46212f squid-2.4.STABLE7-0.73.2.legacy.src.rpm 9: d4e688a366a9a0e1c951da52f9b994cfb4209f2a squid-2.5.STABLE1-9.9.legacy.i386.rpm eb74c7bc83e0042719da92d47c6cb0902b160128 squid-2.5.STABLE1-9.9.legacy.src.rpm 1: 1acfbce9a6221abac6a3e51aa124e19de3df7fde squid-2.5.STABLE3-2.fc1.5.legacy.i386.rpm dab926549b985d8d677b4731b463afdfa00c8a74 squid-2.5.STABLE3-2.fc1.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.9.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.5.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.5.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCPJwjLMAs/0C4zNoRAp9UAJ9BmzuTEPmy7X9ZTRx8zpJ4bdoLdQCgsxqh i40zh+DW10hcNQN0uFvjYrY= =JrIo -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-19 11:43:31 ---- A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. https://rhn.redhat.com/errata/RHSA-2005-173.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0446 05.10.28 CVE: CAN-2005-0626 Platform: Cross Platform Title: Squid Proxy Set-Cookie Information Disclosure Description: Squid is web proxy software. It is affected by a remote information disclosure problem. The issue presents itself when the requested server employs the Netscape "Set-Cookie" specifications. Squid Proxy versions 2.5 STABLE7 through version 2.5 STABLE9 are affected. Ref: http://www.securityfocus.com/advisories/8208 ------- Additional Comments From marcdeslauriers 2005-03-19 11:44:44 ---- *** Bug 2446 has been marked as a duplicate of this bug. *** ------- Additional Comments From pekkas 2005-03-19 13:42:10 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - the dns_assert patch verified to come from upstream, the setcookie patch verified to be correct w/ Ubuntu's patch I noted that the RHEL3 version has requires: linuxdoc-tools which this one does not have, but as it compiles fine, this is OK I think. +PUBLISH RHL73,RHL9,FC1 edefe80878fe0cc4b14787134197bbc57d46212f squid-2.4.STABLE7-0.73.2.legacy.src.rpm eb74c7bc83e0042719da92d47c6cb0902b160128 squid-2.5.STABLE1-9.9.legacy.src.rpm dab926549b985d8d677b4731b463afdfa00c8a74 squid-2.5.STABLE3-2.fc1.5.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCPLiwGHbTkzxSL7QRAulyAJ9aP6Hgy/TwsyMX49yjpTplb2x4cQCgvcgU 7BK8yhTqa2oxmJpZV0im4w0= =x8qA -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:28 ------- This bug previously known as bug 2150 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2150 Originally filed under the Fedora Legacy product and Package request component. Attachments: 7.3 patch https://bugzilla.fedora.us/attachment.cgi?action=view&id=885 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
*** Bug 152778 has been marked as a duplicate of this bug. ***
Packages were pushed to updates-testing.
*** Bug 152733 has been marked as a duplicate of this bug. ***
05.19.16 CVE: Not Available Platform: Unix Title: Squid Proxy Unspecified DNS Spoofing Description: Squid Proxy is a freely available, open source web proxy software package. Squid Proxy is affected by an unspecified DNS spoofing vulnerability. Squid Proxy versions 2.5 and earlier are known to be vulnerable. Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query
(2) MODERATE: Multiple Vendor HTTP Request Smuggling Affected: Configurations involving a number of popular web proxy/cache servers and web application firewalls Description: A new attack technique named "HTTP Request Smuggling" has been reported to affect configurations that involve one or more web entities (i.e. a web proxy server, a web cache server or a web application firewall) between a user and a web server. The attack can be carried out by crafting back-to-back HTTP requests that are interpreted differently by the web entities. For example, if an HTTP request is crafted with two distinct HTTP "Content-Length" headers, the two web entities may process the same request by honoring either the first or the last "Content-Length" header. The discoverers have shown how an attacker can exploit such behaviors by crafting HTTP requests that may result in web cache poisoning, bypassing the web firewall, cross-site scripting (requiring no user interaction) or session hijacking. The vulnerable example configurations listed in the discoverers' posting include Sun ONE proxy server, Sun ONE webserver, CheckPoint Firewall, Microsoft IIS server, Microsoft ISA server, Apache, Jakarta Tomcat server, IBM WebSphere, BEA WebLogic, Oracle9iAS, Squid, Delegate and Oracle WebCache. Status: Squid and CheckPoint have distributed patches. The status regarding other vendors is not currently known. Council Site Actions: Two council sites are still evaluating if they are vulnerable. One site has already patched their system. References: Watchfire Whitepaper http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf SecurityFocus BID http://www.securityfocus.com/bid/13873 05.23.14 CVE: Not Available Platform: Cross Platform Title: Multiple Vendor Multiple HTTP Request Smuggling Description: Multiple vendors are prone to a new class of attack named "HTTP Request Smuggling". This class of attack basically revolves around piggybacking a HTTP request inside of another HTTP request. By leveraging failures to implement the HTTP/1.1 RFC properly, it is demonstrated that this class of attack may result in cache poisoning, cross-site scripting, session hijacking and other attacks. Reports indicate that Microsoft IIS 5.0 is affected. Ref: http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
05.37.15 CVE: CAN-2005-2794 Platform: Unix Title: Squid Proxy Aborted Requests Remote Denial of Service Description: Squid Proxy is a freely available, open source Web proxy software package. A remote denial of service vulnerability affects the Squid Proxy. This issue is due to a failure of the application to properly handle exceptional network requests. A remote attacker may leverage this issue to crash the affected Squid Proxy, denying service to legitimate users. Ref: http://www.securityfocus.com/bid/14761
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 7.3 RHL 7.3 Packages: squid-2.4.STABLE7-0.73.2.legacy.i386.rpm Checksums and signatures verify okay. I installed the program without any problems. After a long lerning curve on how to configure it (I've never used squid before) I was acutally able to make it work! I tested some basic functionality, and it all worked amazingly well. I did NOT test the exact security problem (SNMP) but rather tested ftp and http only. I uninstalled it without issue. Vote for release for RHL 7.3. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNCEG4jZRbknHoPIRAilTAJ4kmxOYn3Tj+BbqP9qp6SFKIvzvKgCgqqk/ xYXPjzS7OTUBj/26PcSjEFg= =7Wdn -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 RHL 9 Packages: squid-2.5.STABLE1-9.9.legacy.i386.rpm Checksums and signatures verify okay. I installed the program without any problems. Upon running, I got the error messages: init_cache_dir /var/spool/squid... /etc/rc.d/init.d/squid: line 162: 3604 Aborted $SQUID -z -F -D 2>/dev/null Starting squid: /etc/rc.d/init.d/squid: line 162: 3605 Aborted $SQUID $SQUID_OPTS 2>/dev/null [FAILED] Apparently it can't figure out my hostname. I edited /etc/squid/squid.conf and added the 'visible_hostname' to be my fully qualified host name. After that, it started fine. This is, I presume, a problem with my machine setup and not a bug in squid per se. Once configured and running, it worked fine as an HTTP proxy/accelerator. I didn't test the SNMP functionality or bug fix; I just used it as an HTTP proxy/accelerator. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNCQc4jZRbknHoPIRAo/gAKCDNfgnHeCMjT8PBhQHEDDvxKTarQCeLoHS 5JC2cVsq/ee+tu9Vc56n06c= =Y6pF -----END PGP SIGNATURE-----
Thanks, timeouts in 2 weeks.
Timeout over.
I've moved the vulnerabilities I reported post-updates-testing to Bug #170410 so this bug can be closed when the packages are released.
Created attachment 120495 [details] Table of CVE's this bug ticket fixes & new CVE's for next one. The attached table indicates all the CVE's I was able to determine that this bug #152809 fixes for the 3 distros handled in this bug report, plus FC2. "Y" in a row means that the CVE on that row is fixed for the distro in the column. This table also documents all of the CVE's I could find that are (or may be) issues for our next Bug #170410 to fix. These are the ones with the "N" (meaning "no, not fixed here") for the distro/CVE's. Some helpful links (like to RHSA reports or upstream patches where useful) are also placed on each row. Hope this is helpful.
I am not going to release the packages in updates-testing as they are seriously out-of-date. Let's track the new issues in this bug.
*** Bug 170410 has been marked as a duplicate of this bug. ***
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are new squid packages to QA: rh7.3 Changelog: * Wed Nov 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.4.STABLE7-0.73.3.legacy - - Added security patches for CVE-2005-0718, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479 and CVE-2005-2794 - - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords rh9 changelog: * Wed Nov 16 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE1-9.10.legacy - - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 - - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords fc1 changelog: * Tue Nov 15 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE3-2.fc1.6.legacy - - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 - - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords fc2 changelog: * Tue Nov 15 2005 Marc Deslauriers <marcdeslauriers> 7:2.5.STABLE9-1.FC3.3.legacy - - Added security patches for CVE-1999-0710, CVE-2005-1519, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 rh7.3: 7f2ecd2112c5be2b30e3561fbf51e42ef57d3301 7.3/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm 2dbcf936b058ecb5eac61b9c584402faf1aee9b2 7.3/squid-2.4.STABLE7-0.73.3.legacy.src.rpm rh9: f60363c2614c4ef99db6e9084a965819c6b76a17 9/squid-2.5.STABLE1-9.10.legacy.i386.rpm 5185c13f38ee196eb37392e6ac2500a3e67faa71 9/squid-2.5.STABLE1-9.10.legacy.src.rpm fc1: 64e1464f0448299157b799c9c387c4d6de549b5f 1/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm 5b41bae1eaf97ea444209ca8940d83ad05c10eae 1/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm fc2: e03ee3e4ff5a8c9ea70e49e0fb551703d7194f8c 2/squid-2.5.STABLE9-1.FC2.3.legacy.i386.rpm 8f238269d9391da661aabfafaed08e39f1164c3b 2/squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm Source: http://www.infostrategique.com/linuxrpms/legacy/7.3/squid-2.4.STABLE7-0.73.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-9.10.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ http://www.infostrategique.com/linuxrpms/legacy/9/ http://www.infostrategique.com/linuxrpms/legacy/1/ http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDfSJoLMAs/0C4zNoRAgWuAJ9uO7hRiCsUr1dy+XBRYxODbOQChgCgmsiW FIeN6tShS1rc6/NIFlr3lEI= =9jaQ -----END PGP SIGNATURE-----
Argh. Squid is a pain in the ass. I just spent an hour trying to verify these for correctness, but the patches were so difficult to figure out that I gave up. What I was easily able to check was that RHL73 and FC1 corresponded to the RHEL packages, and patches were except for the NTLM-assert patch which RHEL doesn't ship (yet). FC1 and RHL9 also appeared to have the same patches, though contents were somewhat different. I couldn't figure out why FC2 seemed to be missing ssl-diff, connect, connect_truncated (3/4 of CVE-2005-2796) and dothost (-2004-2479) patches. RHEL also had included squid-2.5.STABLE10-statHistAssert.patch but that isn't an urgent update so leaving it out is OK. I'm not sure how we could continue here without wasting significant amount of energy. Perhaps RHL9 squid should be upgraded to the same version as FC1 to make it easier to ship both together and align with RHEL, or something.
The sslConnectTimeout patch applies directly to the squid version used in FC2 and completely fixes CVE-2005-2796. The ssl-diff, connect and connect_truncated patches were made by RedHat to update the version of the ssl.c file in older squid releases to a version that can be patched by sslConnectTimeout. The dothost patch is already included upstream in squid-2.5.STABLE10. Upgrading versions is not in line with Legacy's guidelines. There are zillions of patches to QA because we havn't kept up with squid releases.
But FC2 has STABLE9, not STABLE10?
oups, sorry, I meant "already included upstream in squid-2.5.STABLE9", so it is already included in fc2.
Created attachment 121285 [details] Updated bug-sheet. (.sxc format, OpenOffice.org) Was just wondering, there are a number of CVE's identified in the table in attachment 120495 [details] that are not listed in your Changelogs, Marc. (I haven't looked at anything but the changelogs from comment 15 so far.) Were these not fixed? In this new attachment, all cells with an "N" marked in green are CVE's that are marked fixed in the changelogs. Cells marked in red are those that I am concerned about: RH7.3: CVE-2005-1345, CVE-2005-2917, CVE-2005-3258 RH9 : CVE-2005-3258 FC1 : CVE-2005-3258 FC2 : CVE-2004-2479, CVE-2005-3258 CVE-2005-3258 is apparently considered major severity by the Squid folks. <http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape> Thanks.
Created attachment 121286 [details] Corrected Updated bug-sheet. (.sxc format, OpenOffice.org) Oops. I made the same mistake as Pekka. I now see that CVE-2004-2479 was a patch in squid-2.5.STABLE7, so was included in squid-2.5.STABLE8 and later, so is not a concern in FC2. Corrected table attached. Sorry 'bout that.
the CVE-2005-3258 patch was for a bug introduced in the squid-2.5.STABLE10-ftp_basehref.patch which we don't use, so we're not vulnerable to that issue. CVE-2005-2917 only applies to NTFS authentication, which the squid version in rh7.3 doesn't support. CVE-2005-1345 was not fixed in squid-2.4 from RHEL21, so I didn't fix it in rh7.3's squid-2.4. Maybe this needs further investigation.
Created attachment 121287 [details] Yet better bug-sheet. (.sxc format, OpenOffice.org) Thanks, Marc. Like Visine, you got the red out.
Think you could check these out again Pekka?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - the patches verified against RHEL, and in FC2 and for NTLM auth against upstream. I did NOT verify Marc's analysis on which patches are (not) needed on which platform, so I assume it's OK. +PUBLISH RHL73, RHL9, FC1, FC2 2dbcf936b058ecb5eac61b9c584402faf1aee9b2 squid-2.4.STABLE7-0.73.3.legacy.src.rpm 5185c13f38ee196eb37392e6ac2500a3e67faa71 squid-2.5.STABLE1-9.10.legacy.src.rpm 5b41bae1eaf97ea444209ca8940d83ad05c10eae squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm 8f238269d9391da661aabfafaed08e39f1164c3b squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDiA6AGHbTkzxSL7QRAmNbAJ48Lj21L7t6mYE+2pJyqZehDWqcIgCdHqf6 jMeWRAtoBqs0pk6GXyBmSxk= =Jv2c -----END PGP SIGNATURE-----
Cool. Thanks Pekka!
New policy: automatic accept after two weeks if no negative feedback.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following packages: 2dbcf936b058ecb5eac61b9c584402faf1aee9b2 squid-2.4.STABLE7-0.73.3.legacy.src.rpm 5185c13f38ee196eb37392e6ac2500a3e67faa71 squid-2.5.STABLE1-9.10.legacy.src.rpm 5b41bae1eaf97ea444209ca8940d83ad05c10eae squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm 8f238269d9391da661aabfafaed08e39f1164c3b squid-2.5.STABLE9-1.FC2.3.legacy.src.rpm Installed with yum, edited the squid conf to add visible_hostname and correct access ACL. Browsed with http and https, and downloaded files using ftp. Executed files downloaded through FTP. All were successful. Verified usage in squid.log. +VERIFY rh73,rh9,fc1,fc2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFD9L1LpxMPKJzn2lIRAoCyAJwIaqCokJMyBwNzlQXEc70SxYCacACfY2fZ HvGmQxjTIQFIEJUchMHuq3w= =GdSp -----END PGP SIGNATURE-----
Mmm, there may be a terminology error. You're referring to src.rpm's, which you probably couldn't install :-). I guess you installed the binary versions in the updates-testing directory? Which OS versions did you test?
Whoops. Bad cut'n'paste. I DID qa the .rpms that were in updates-testing for each release.
You have access to every released architecture? That's impressive -- thanks!
Packages were released to updates.
The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was: Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CVE-2005-2917)