Summary: | <net-proxy/squidguard-1.4-r4: Security restrictions bypasses (CVE-2009-{3700,3826}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | d.s.j.birch, net-proxy+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/37107/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Heinlein (RETIRED)
2009-10-26 20:20:01 UTC
Maintainers, please provide an ebuild that includes the said patches. *** Bug 290981 has been marked as a duplicate of this bug. *** CVE-2009-3700 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3700): Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote attackers to cause a denial of service (application hang or loss of blocking functionality) via a long URL with many / (slash) characters, related to "emergency mode." CVE-2009-3826 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3826): Multiple buffer overflows in squidGuard 1.4 allow remote attackers to bypass intended URL blocking via a long URL, related to (1) the relationship between a certain buffer size in squidGuard and a certain buffer size in Squid and (2) a redirect URL that contains information about the originally requested URL. Patch 20091019 was already applied in version 1.4-r3, see vsnprintf.patch. Second patch has been imported in our tree as upstream-fixes.patch, although the quality of this patch is dubious. Please mark squid-1.4-r4 as stable. amd64/x86 stable, all arches done. sorry... my script is running insane ppc64 done Stable for PPC. GLSA vote: no. NO too, closing |