Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 228593

Summary: net-proxy/squidguard <1.3-r1 "Trailing dot" domain access restriction bypass (SG-2008-06-13)
Product: Gentoo Security Reporter: Yar Odin <yarodin>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-proxy+disabled, releng
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.squidguard.org/Doc/sg-2008-06-13.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Yar Odin 2008-06-20 16:58:53 UTC 
By adding a trailing dot to the domain it is possible to bypass the filter and access blocked sites.

This only affects people using squidGuard with squid version 3.0 STABLE1 to STABLE5 (higher version may be affected as well; in any case, if you are running squid 3.0 make sure to patch). Squid version 2.6 is known to remove trailing dots from domains before passing the URLs to squidGuard. 

Affected versions: 1.3, 1.2.1 and below
Corrected in version 1.4 alpha (and higher) 

Reproducible: Always




http://www.squidguard.org/Downloads/Patches/1.3/squidGuard-1.3-patch-20080613.tar.gz 
(MD5: fb0a12bf289b73ed6ecf5ff4ad971648) 

http://www.squidguard.org/Downloads/Patches/1.2.1/squidGuard-1.2.1-patch-20080613.tar.gz 
(MD5: ab33fb4f7381e5b30543f7f79a3d4345)
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2008-06-20 22:06:14 UTC 
Fixed in net-proxy/squidguard-1.3-r1. Arch teams, please mark this version as stable.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-06-21 02:26:06 UTC 
Providing a new version of the file is a really weird way to patch.... Anyway, adding release@
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-21 08:19:25 UTC 
x86 stable
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2008-06-21 20:22:23 UTC 
ppc64 stable
Comment 5 Markus Meier gentoo-dev 2008-06-22 11:36:01 UTC 
amd64 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-23 19:44:07 UTC 
ppc stable
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-06-24 01:07:04 UTC 
I vote NO for this since the initial comment #0 stated only squid 3.0 and higher is affected, and that is ~arch for us.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-24 15:02:35 UTC 
no too, closing