Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45273 - Squid url_regex ACL bypass
Summary: Squid url_regex ACL bypass
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2004-03-21 04:20 UTC by Wolfram Schlich (RETIRED)
Modified: 2004-03-31 00:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
plasmaroo: Pending-


Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schlich (RETIRED) gentoo-dev 2004-03-21 04:20:13 UTC
Quote from the ISS announcement:

Squid Web Proxy Cache versions 2.x through 2.5.STABLE4 could allow a remote attacker to bypass Access Control Lists (ACL). By sending a specially-crafted URL request containing '%00', the url_regex ACL may not properly detect the malicious URL, allowing the attacker to bypass the ACL. 

Reproducible: Always
Steps to Reproduce:
Comment 1 Wolfram Schlich (RETIRED) gentoo-dev 2004-03-21 04:21:08 UTC
There's already an updated version (net-www/squid-2.5.5) which should just be marked stable.
Comment 2 solar (RETIRED) gentoo-dev 2004-03-21 08:49:46 UTC
arch maintainers please try to confirm squid-2.5.5 on your arch 
can be marked stable.
Comment 3 Jason Wever (RETIRED) gentoo-dev 2004-03-21 09:07:33 UTC
stable on sparc.
Comment 4 Aron Griffis (RETIRED) gentoo-dev 2004-03-21 13:54:00 UTC
looks good on alpha and ia64
Comment 5 Wolfram Schlich (RETIRED) gentoo-dev 2004-03-23 08:24:20 UTC
This should IMHO be released ASAP...
ppc@, wassap with you? ;)
Comment 6 Wolfram Schlich (RETIRED) gentoo-dev 2004-03-26 16:45:36 UTC
hey, any news?! I mean, it's getting late... and: better a security fix on some arches than on none. anyway, could we please do anything about it? I don't have access to ppc or hppa machines, otherwise I'd test it...
Comment 7 Wolfram Schlich (RETIRED) gentoo-dev 2004-03-29 05:06:58 UTC
This is now 8 days old. Sorry, but something gotta happen soon :-(
Comment 8 Guy Martin (RETIRED) gentoo-dev 2004-03-30 02:57:29 UTC
marked stable on hppa.
sorry for the delay
Comment 9 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 04:25:12 UTC
PPC -- plztest.
Comment 10 Lars Weiler (RETIRED) gentoo-dev 2004-03-30 07:04:17 UTC
Sorry for the delay, currently compiling on ppc.

The ppc-team realised last night that only SeJo (new dev) and me are the ones with stable boxes since DarkSpecter's box died.  So I have to roll up the work from the last two weeks, starting with security bugs.
Comment 11 Lars Weiler (RETIRED) gentoo-dev 2004-03-30 07:20:15 UTC
It's stable on ppc now, removing from Cc.

BTW, x86 still did not comfired it stable.
Comment 12 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 07:28:44 UTC
Donny -- sorry for adding you late to the game, I thought Wolfram was the package maintainer.  Is squid 2.5.5 safe to mark stable on x86?
Comment 13 Donny Davies (RETIRED) gentoo-dev 2004-03-30 10:02:39 UTC
Hi Kurt

Please feel free, I know of no reason to hold it back from going stable.

Comment 14 Tim Yamin (RETIRED) gentoo-dev 2004-03-30 10:10:11 UTC
Stable on X86, thanks Donny. PPC64; can you folks get this stable along with the dependencies so we can roll this out? Thanks!
Comment 15 Wolfram Schlich (RETIRED) gentoo-dev 2004-03-31 00:37:38 UTC
Ah, it's marked stable on all but ppc64 :)
A _big thanks_ to everyone to helped to test and roll this update!
Comment 16 Kurt Lieber (RETIRED) gentoo-dev 2004-03-31 00:48:44 UTC
GLSA 200403-11