[prev in list] [next in list] [prev in thread] [next in thread]
List: annvix-announce
Subject: [announce] AVXSA-2005:018 security fixes
From: vdanen () annvix ! org
Date: 2005-07-01 3:08:43
Message-ID: E1DoBtT-0006hk-Uk () build ! annvix ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Annvix Security Update Advisory
_______________________________________________________________________
Package name: squid
Advisory ID: AVXSA-2005:018
Date: June 30th, 2005
Affected versions: 1.0-RELEASE
______________________________________________________________________
Problem Description:
Squid 2.5, when processing the configuration file, parses empty Access
Control Lists (ACLs), including proxy_auth ACLs without defined auth
schemes, in a way that effectively removes arguments, which could
allow remote attackers to bypass intended ACLs if the administrator
ignores the parser warnings (CAN-2005-0194).
A race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the
Netscape Set-Cookie recommendations for handling cookies in caches,
may cause Set-Cookie headers to be sent to other users, which allows
attackers to steal the related cookies (CAN-2005-0626).
A bug in the way Squid processes errors in the access control list was
also found. It is possible that an error in the access control list
could give users more access than intended (CAN-2005-1345).
A bug was found in the way that Squid handles DNS replies. If the
port Squid uses for DNS requests is not protected by a firewall, it is
possible for a remote attacker to spoof DNS replies, possibly
redirecting a user to spoofed or malicious content (CAN-2005-1519).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1519
______________________________________________________________________
Updated Packages:
Annvix 1.0-RELEASE:
d9d8fcb9eef0fb3cea35aaed0f8daaccefc17ba3 1.0-RELEASE/SRPMS/squid-2.5.STABLE10-1avx.src.rpm
2cd9113390f9064b2e4d9c1f46837558b2233a91 1.0-RELEASE/i586/squid-2.5.STABLE10-1avx.i586.rpm
e13ed93eb6d65c3701206dd4442919018ecc4e91 1.0-RELEASE/x86_64/squid-2.5.STABLE10-1avx.x86_64.rpm
_______________________________________________________________________
All Annvix security advisories are available at:
http://annvix.org/advisories/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCxLMIJnj1HmfyJpYRAgTzAJ9cZdgvktwedZbvU7W8L7UBDBPfwwCfSwK2
IsEl/jmo0ZLbPWsZGNJvKDk=
=4cEV
-----END PGP SIGNATURE-----
_______________________________________________
announce mailing list
announce@annvix.org
http://annvix.org/mailman/listinfo/announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic