45273 – Squid url_regex ACL bypass

Bug 45273 - Squid url_regex ACL bypass

Summary: Squid url_regex ACL bypass

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	Highest blocker (vote)
Assignee:	Gentoo Security

URL:	http://xforce.iss.net/xforce/xfdb/15366
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-03-21 04:20 UTC by Wolfram Schlich (RETIRED)
Modified:	2004-03-31 00:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	plasmaroo: Pending-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfram Schlich (RETIRED) gentoo-dev

2004-03-21 04:20:13 UTC

Quote from the ISS announcement:

Squid Web Proxy Cache versions 2.x through 2.5.STABLE4 could allow a remote attacker to bypass Access Control Lists (ACL). By sending a specially-crafted URL request containing '%00', the url_regex ACL may not properly detect the malicious URL, allowing the attacker to bypass the ACL. 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Wolfram Schlich (RETIRED) gentoo-dev

2004-03-21 04:21:08 UTC

There's already an updated version (net-www/squid-2.5.5) which should just be marked stable.

Comment 2 solar (RETIRED) gentoo-dev

2004-03-21 08:49:46 UTC

arch maintainers please try to confirm squid-2.5.5 on your arch 
can be marked stable.

Comment 3 Jason Wever (RETIRED) gentoo-dev

2004-03-21 09:07:33 UTC

stable on sparc.

Comment 4 Aron Griffis (RETIRED) gentoo-dev

2004-03-21 13:54:00 UTC

looks good on alpha and ia64

Comment 5 Wolfram Schlich (RETIRED) gentoo-dev

2004-03-23 08:24:20 UTC

This should IMHO be released ASAP...
ppc@, wassap with you? ;)

Comment 6 Wolfram Schlich (RETIRED) gentoo-dev

2004-03-26 16:45:36 UTC

hey, any news?! I mean, it's getting late... and: better a security fix on some arches than on none. anyway, could we please do anything about it? I don't have access to ppc or hppa machines, otherwise I'd test it...

Comment 7 Wolfram Schlich (RETIRED) gentoo-dev

2004-03-29 05:06:58 UTC

This is now 8 days old. Sorry, but something gotta happen soon :-(

Comment 8 Guy Martin (RETIRED) gentoo-dev

2004-03-30 02:57:29 UTC

marked stable on hppa.
sorry for the delay

Comment 9 Kurt Lieber (RETIRED) gentoo-dev

2004-03-30 04:25:12 UTC

PPC -- plztest.

Comment 10 Lars Weiler (RETIRED) gentoo-dev

2004-03-30 07:04:17 UTC

Sorry for the delay, currently compiling on ppc.

The ppc-team realised last night that only SeJo (new dev) and me are the ones with stable boxes since DarkSpecter's box died.  So I have to roll up the work from the last two weeks, starting with security bugs.

Comment 11 Lars Weiler (RETIRED) gentoo-dev

2004-03-30 07:20:15 UTC

It's stable on ppc now, removing from Cc.

BTW, x86 still did not comfired it stable.

Comment 12 Kurt Lieber (RETIRED) gentoo-dev

2004-03-30 07:28:44 UTC

Donny -- sorry for adding you late to the game, I thought Wolfram was the package maintainer.  Is squid 2.5.5 safe to mark stable on x86?

Comment 13 Donny Davies (RETIRED) gentoo-dev

2004-03-30 10:02:39 UTC

Hi Kurt

Please feel free, I know of no reason to hold it back from going stable.

Regards.

Comment 14 Tim Yamin (RETIRED) gentoo-dev

2004-03-30 10:10:11 UTC

Stable on X86, thanks Donny. PPC64; can you folks get this stable along with the dependencies so we can roll this out? Thanks!

Comment 15 Wolfram Schlich (RETIRED) gentoo-dev

2004-03-31 00:37:38 UTC

Ah, it's marked stable on all but ppc64 :)
A _big thanks_ to everyone to helped to test and roll this update!

Comment 16 Kurt Lieber (RETIRED) gentoo-dev

2004-03-31 00:48:44 UTC

GLSA 200403-11