[prev in list] [next in list] [prev in thread] [next in thread] 

List:       annvix-announce
Subject:    [announce] AVXSA-2005:018 security fixes
From:       vdanen () annvix ! org
Date:       2005-07-01 3:08:43
Message-ID: E1DoBtT-0006hk-Uk () build ! annvix ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                    Annvix Security Update Advisory
 _______________________________________________________________________

 Package name:           squid
 Advisory ID:            AVXSA-2005:018
 Date:                   June 30th, 2005

 Affected versions:      1.0-RELEASE
 ______________________________________________________________________

 Problem Description:

 Squid 2.5, when processing the configuration file, parses empty Access
 Control Lists (ACLs), including proxy_auth ACLs without defined auth
 schemes, in a way that effectively removes arguments, which could
 allow remote attackers to bypass intended ACLs if the administrator
 ignores the parser warnings (CAN-2005-0194).

 A race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the
 Netscape Set-Cookie recommendations for handling cookies in caches,
 may cause Set-Cookie headers to be sent to other users, which allows
 attackers to steal the related cookies (CAN-2005-0626).

 A bug in the way Squid processes errors in the access control list was
 also found.  It is possible that an error in the access control list
 could give users more access than intended (CAN-2005-1345).

 A bug was found in the way that Squid handles DNS replies.  If the
 port Squid uses for DNS requests is not protected by a firewall, it is
 possible for a remote attacker to spoof DNS replies, possibly
 redirecting a user to spoofed or malicious content (CAN-2005-1519).
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0710
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0194
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0626
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1345
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1519
 ______________________________________________________________________

 Updated Packages:

 Annvix 1.0-RELEASE:
 d9d8fcb9eef0fb3cea35aaed0f8daaccefc17ba3  1.0-RELEASE/SRPMS/squid-2.5.STABLE10-1avx.src.rpm
 2cd9113390f9064b2e4d9c1f46837558b2233a91  1.0-RELEASE/i586/squid-2.5.STABLE10-1avx.i586.rpm
 e13ed93eb6d65c3701206dd4442919018ecc4e91  1.0-RELEASE/x86_64/squid-2.5.STABLE10-1avx.x86_64.rpm
 _______________________________________________________________________

 All Annvix security advisories are available at:

   http://annvix.org/advisories/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCxLMIJnj1HmfyJpYRAgTzAJ9cZdgvktwedZbvU7W8L7UBDBPfwwCfSwK2
IsEl/jmo0ZLbPWsZGNJvKDk=
=4cEV
-----END PGP SIGNATURE-----

_______________________________________________
announce mailing list
announce@annvix.org
http://annvix.org/mailman/listinfo/announce

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic