Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 586668 (CVE-2015-8936)

Summary: <net-proxy/squidguard-1.5_beta-r1: Reflected cross site scripting vulnerability in squidGuard.cgi
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pinkbyte
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1348457
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-06-22 07:00:51 UTC
From ${URL} :

A reflected cross site scripting vulnerability is present in the blocking script squidGuard.cgi. 
The vulnerability is triggered when a user clicks a link to a blocked site where the url has 
scripting instructions added.

External references:

http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20150201

CVE request:

http://seclists.org/oss-sec/2016/q2/569


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 23:26:20 UTC
@maintainer, fix is in the 1.5 release.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-05 14:25:35 UTC
The 1.5 available on the website matches the beta that is already in the tree.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-05 22:02:03 UTC
(In reply to Jeroen Roovers from comment #2)
> The 1.5 available on the website matches the beta that is already in the
> tree.

--- squidGuard-1.4-patch-20150201/squidGuard.cgi  2015-02-02 03:43:27.000000000 +0900
+++ squidGuard-1.5-beta/samples/squidGuard.cgi.in 2010-09-09 19:34:32.000000000 +0900

Compared the upstream patch set for 1.4 against the 1.5 beta release in tree.  All is good.  

@maintainer(s), please cleanup the vulnerable version in tree.
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2016-07-07 20:52:40 UTC
Vulnerable versions are removed from tree