From SecurityFocus: Squid Proxy is prone to an unspecified DNS spoofing vulnerability. This could allow malicious users to perform DNS spoofing attacks on Squid Proxy clients on unprotected networks. This issue affects Squid Proxy versions 2.5 and earlier. ------------------- A patch against 2.5.STABLE9 is available at http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE9-dns_query-4.patch
net-proxy, please advise. There is also a release candidate from today that likely has the patch in it, not sure when STABLE10 is expected to be released though.
looks like a serious problem to me. version bumped to 2.5.10_rc3 and marked stable on x86 P.S. I'm a little annoyed about the negligence of the upstream regarding the quality of the inter-release patches. It is the second time when I had problems appliying official patches to the latest official release. I thought it is better to use the rc3 tarball - who knows what else is missing from the published patches?
Arches please test and mark stable.
ppc stable.
stable on ppc64
stable on amd64
Stable on hppa.
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query Malicious users may spoof DNS lookups if the DNS client UDP port (random, assigned by OS at startup) is unfiltered and your network is not protected from IP spoofing. __ http://www.securitytracker.com/alerts/2005/May/1013952.html
Stable on alpha + ia64.
sparc stable.
submitted with x86 from the beggining
½ YES vote.
Other Squid issues in the queue (both very minor imho): bug #89149 bug #83955
Half vote against a GLSA, but hard to decide... We do have 3 in the queue though now... So one should be considered now or after the next issue.
I half-vote NO too, but I agree the next one is the good one.
Lets queue this. Reverting to full NO for the time being->Closing.
Stable on mips.
