MDKSA-2004:025

Package name

squid

Date

2004-03-30

Advisory ID

MDKSA-2004:025

Affected versions

9.2 amd64 , CS2.1 x86_64 , 10.0 amd64 , CS2.1 i586 , 10.0 i586 , 9.2 i586 , 9.1 i586 , MNF8.2 i586 , 9.1 i586

Problem description

A vulnerability was discovered in squid version 2.5.STABLE4 and earlier with the processing of %-encoded characters in a URL. If a squid configuration uses ACLs (Access Control Lists), it is possible for a remote attacker to create URLs that would not be properly tested against squid's ACLs, potentially allowing clients to access URLs that would otherwise be disallowed. As well, the provided packages for Mandrake Linux 9.2 and 9.1 include a new Access Control type called "urllogin" which can be used to protect vulnerable Microsoft Internet Explorer clients from accessing URLs that contain login information. While this Access Control type is available, it is not used in the default configuration. The updated packages are patched to protect against these vulnerabilities.

Updated packages

9.2 amd64

 6d9c8708456e3e581a2d0e4006073d9a  amd64/9.2/RPMS/squid-2.5.STABLE3-3.1.92mdk.amd64.rpm
9671d4f57c43ca371bb9437b5480bfe1  amd64/9.2/SRPMS/squid-2.5.STABLE3-3.1.92mdk.src.rpm

CS2.1 x86_64

 b28afa1eee2601d93919ab9b87c88cc1  x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.1.C21mdk.x86_64.rpm
5d800fb0ebf900f60ef1ba1eccb07642  x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.1.C21mdk.src.rpm

10.0 amd64

 664c3f35abb068297d7ee5a8e5d926f8  amd64/10.0/RPMS/squid-2.5.STABLE4-1.100mdk.amd64.rpm
6c2930b14c1c18228159f78a9892eb65  amd64/10.0/SRPMS/squid-2.5.STABLE4-1.100mdk.src.rpm

CS2.1 i586

 4fd20ca8507ea60149bd4795fed01f1a  corporate/2.1/RPMS/squid-2.4.STABLE7-2.1.C21mdk.i586.rpm
5d800fb0ebf900f60ef1ba1eccb07642  corporate/2.1/SRPMS/squid-2.4.STABLE7-2.1.C21mdk.src.rpm

10.0 i586

 a72b8ebf3da3d8435693301312fa475e  10.0/RPMS/squid-2.5.STABLE4-1.100mdk.i586.rpm
6c2930b14c1c18228159f78a9892eb65  10.0/SRPMS/squid-2.5.STABLE4-1.100mdk.src.rpm

9.2 i586

 16fa9ee0eed04bcd4e23aab9864adc10  9.2/RPMS/squid-2.5.STABLE3-3.1.92mdk.i586.rpm
9671d4f57c43ca371bb9437b5480bfe1  9.2/SRPMS/squid-2.5.STABLE3-3.1.92mdk.src.rpm

9.1 i586

 97f8a5010fcd34e2017cdddeca1871a8  9.1/RPMS/squid-2.5.STABLE1-7.1.91mdk.i586.rpm
77830b2c1f4b08013cf6ca3d90687927  9.1/SRPMS/squid-2.5.STABLE1-7.1.91mdk.src.rpm

MNF8.2 i586

 7bb35a615f5e95270f2514bd19ddf69d  mnf8.2/RPMS/squid-2.4.STABLE7-1.2.M82mdk.i586.rpm
7a590e5539a260dc6dc468c12c7f641d  mnf8.2/SRPMS/squid-2.4.STABLE7-1.2.M82mdk.src.rpm

9.1 i586

 123e83676d55a1c465040db5f1e688d4  ppc/9.1/RPMS/squid-2.5.STABLE1-7.1.91mdk.ppc.rpm
77830b2c1f4b08013cf6ca3d90687927  ppc/9.1/SRPMS/squid-2.5.STABLE1-7.1.91mdk.src.rpm

References

• http://www.microsoft.com/security/incident/spoof.asp
• http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189