83955 – www-proxy/squid: Set-Cookie Header Leak Security Issue

Bug 83955 - www-proxy/squid: Set-Cookie Header Leak Security Issue

Summary: www-proxy/squid: Set-Cookie Header Leak Security Issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.squid-cache.org/Versions/v...
Whiteboard:	B4 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-03-03 07:03 UTC by Jean-François Brunette (RETIRED)
Modified:	2006-03-23 19:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-03-03 07:03:05 UTC

Description:
A security issue has been reported in Squid, which may disclose sensitive information to malicious people.

The problem is caused due to a race condition, which may cause Set-Cookie headers to leak to other users. This only happens when a requested server relies on the obsolete Netscape Set-Cookie specification.

Solution:
Apply patch for 2.5.STABLE9:
http://www.squid-cache.org/Versi...quid-2.5.STABLE9-setcookie.patch

Original Advisory:
http://www.squid-cache.org/Versi...ugs/#squid-2.5.STABLE9-setcookie

Comment 1 Alin Năstac (RETIRED) gentoo-dev

2005-03-03 10:38:27 UTC

version bumped to 2.5.9. it is already marked stable on x86.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-03 10:56:17 UTC

Alin could you fix bug #83976 (if applicable) in the same round?

Comment 3 Alin Năstac (RETIRED) gentoo-dev

2005-03-03 11:29:33 UTC

bug #83976 has been fixed

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-03 11:33:49 UTC

Arches please test and mark 2.5.9 stable.

Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-03-03 13:30:53 UTC

Stable on ppc.

Comment 6 Jan Brinkmann (RETIRED) gentoo-dev

2005-03-03 14:43:31 UTC

stable on amd64

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2005-03-04 12:05:06 UTC

sparc stable.

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2005-03-04 14:03:12 UTC

stable on ppc64

Comment 9 Bryan Østergaard (RETIRED) gentoo-dev

2005-03-05 13:52:40 UTC

Stable on alpha.

Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev

2005-03-08 04:48:54 UTC

voting against a GLSA

NB:
- rated minor-security on squid-cache.org
- Ubuntu published USN-93-1 about this

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-03-08 05:26:53 UTC

Not worth a GLSA as such, maybe talk about it in next Squid GLSA (yes, there will be one).

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-08 05:29:44 UTC

koon thx for closing. I'll make mental note for the next Squid GLSA.

Comment 13 Alin Năstac (RETIRED) gentoo-dev

2005-03-08 05:57:52 UTC

ok, this is closed, but what about bug #83976 ? It was fixed in the same ebuild version (see comment #3)

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-08 10:21:49 UTC

These issues seem rather minor. Experience tell me we will have another issue soon to bundle these with.

Comment 15 Hardave Riar (RETIRED) gentoo-dev

2005-03-13 18:41:18 UTC

Stable on mips.

Comment 16 René Nussbaumer (RETIRED) gentoo-dev

2005-06-26 06:24:07 UTC

Newer version already stable.