First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 45273
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Wolfram Schlich <wschlich@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
plasmaroo:
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 45273 depends on: Show dependency tree
Bug 45273 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-03-21 04:20 0000 
Quote from the ISS announcement:

Squid Web Proxy Cache versions 2.x through 2.5.STABLE4 could allow a remote attacker to bypass Access Control Lists (ACL). By sending a specially-crafted URL request containing '%00', the url_regex ACL may not properly detect the malicious URL, allowing the attacker to bypass the ACL. 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Wolfram Schlich 2004-03-21 04:21:08 0000 ------- 
There's already an updated version (net-www/squid-2.5.5) which should just be
marked stable.

------- Comment #2 From solar 2004-03-21 08:49:46 0000 ------- 
arch maintainers please try to confirm squid-2.5.5 on your arch 
can be marked stable.

------- Comment #3 From Jason Wever (RETIRED) 2004-03-21 09:07:33 0000 ------- 
stable on sparc.

------- Comment #4 From Aron Griffis (RETIRED) 2004-03-21 13:54:00 0000 ------- 
looks good on alpha and ia64

------- Comment #5 From Wolfram Schlich 2004-03-23 08:24:20 0000 ------- 
This should IMHO be released ASAP...
ppc@, wassap with you? ;)

------- Comment #6 From Wolfram Schlich 2004-03-26 16:45:36 0000 ------- 
hey, any news?! I mean, it's getting late... and: better a security fix on some
arches than on none. anyway, could we please do anything about it? I don't have
access to ppc or hppa machines, otherwise I'd test it...

------- Comment #7 From Wolfram Schlich 2004-03-29 05:06:58 0000 ------- 
This is now 8 days old. Sorry, but something gotta happen soon :-(

------- Comment #8 From Guy Martin 2004-03-30 02:57:29 0000 ------- 
marked stable on hppa.
sorry for the delay

------- Comment #9 From Kurt Lieber 2004-03-30 04:25:12 0000 ------- 
PPC -- plztest.

------- Comment #10 From Lars Weiler (RETIRED) 2004-03-30 07:04:17 0000 ------- 
Sorry for the delay, currently compiling on ppc.

The ppc-team realised last night that only SeJo (new dev) and me are the ones with stable boxes since DarkSpecter's box died.  So I have to roll up the work from the last two weeks, starting with security bugs.

------- Comment #11 From Lars Weiler (RETIRED) 2004-03-30 07:20:15 0000 ------- 
It's stable on ppc now, removing from Cc.

BTW, x86 still did not comfired it stable.

------- Comment #12 From Kurt Lieber 2004-03-30 07:28:44 0000 ------- 
Donny -- sorry for adding you late to the game, I thought Wolfram was the
package maintainer.  Is squid 2.5.5 safe to mark stable on x86?

------- Comment #13 From Donny Davies (RETIRED) 2004-03-30 10:02:39 0000 ------- 
Hi Kurt

Please feel free, I know of no reason to hold it back from going stable.

Regards.

------- Comment #14 From Tim Yamin (RETIRED) 2004-03-30 10:10:11 0000 ------- 
Stable on X86, thanks Donny. PPC64; can you folks get this stable along with
the dependencies so we can roll this out? Thanks!

------- Comment #15 From Wolfram Schlich 2004-03-31 00:37:38 0000 ------- 
Ah, it's marked stable on all but ppc64 :)
A _big thanks_ to everyone to helped to test and roll this update!

------- Comment #16 From Kurt Lieber 2004-03-31 00:48:44 0000 ------- 
GLSA 200403-11
First Last Prev Next    No search results available      Search page      Enter new bug