Quote from the ISS announcement: Squid Web Proxy Cache versions 2.x through 2.5.STABLE4 could allow a remote attacker to bypass Access Control Lists (ACL). By sending a specially-crafted URL request containing '%00', the url_regex ACL may not properly detect the malicious URL, allowing the attacker to bypass the ACL. Reproducible: Always Steps to Reproduce: 1. 2. 3.
There's already an updated version (net-www/squid-2.5.5) which should just be marked stable.
arch maintainers please try to confirm squid-2.5.5 on your arch can be marked stable.
stable on sparc.
looks good on alpha and ia64
This should IMHO be released ASAP... ppc@, wassap with you? ;)
hey, any news?! I mean, it's getting late... and: better a security fix on some arches than on none. anyway, could we please do anything about it? I don't have access to ppc or hppa machines, otherwise I'd test it...
This is now 8 days old. Sorry, but something gotta happen soon :-(
marked stable on hppa. sorry for the delay
PPC -- plztest.
Sorry for the delay, currently compiling on ppc. The ppc-team realised last night that only SeJo (new dev) and me are the ones with stable boxes since DarkSpecter's box died. So I have to roll up the work from the last two weeks, starting with security bugs.
It's stable on ppc now, removing from Cc. BTW, x86 still did not comfired it stable.
Donny -- sorry for adding you late to the game, I thought Wolfram was the package maintainer. Is squid 2.5.5 safe to mark stable on x86?
Hi Kurt Please feel free, I know of no reason to hold it back from going stable. Regards.
Stable on X86, thanks Donny. PPC64; can you folks get this stable along with the dependencies so we can roll this out? Thanks!
Ah, it's marked stable on all but ppc64 :) A _big thanks_ to everyone to helped to test and roll this update!
GLSA 200403-11