Debian Security Advisory DSA 474-1                     security@debian.org 
Debian -- Security Information                              Matt Zimmerman
April 3rd, 2004                          Debian -- Debian security FAQ 
- --------------------------------------------------------------------------

Package        : squid
Problem-Type   : ACL bypass
Debian-specific: no
CVE Ids        : CAN-2004-0189

A vulnerability was discovered in squid, an Internet object cache,
whereby access control lists based on URLs could be bypassed
(CAN-2004-0189).  Two other bugs were also fixed with patches
squid-2.4.STABLE7-url_escape.patch (a buffer overrun which does not
appear to be exploitable) and squid-2.4.STABLE7-url_port.patch (a
potential denial of service).

For the stable distribution (woody) these problems have been fixed in
version 2.4.6-2woody2.

For the unstable distribution (sid) these problems have been fixed in
version 2.5.5-1.

We recommend that you update your squid package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

      
      Size/MD5 checksum:      621 d61b7bf783830f071f5f091db85864aa
      
      Size/MD5 checksum:   224311 e1fbff609b3957f2f0a834fe5ffba8dd
      
      Size/MD5 checksum:  1081920 59ce2c58da189626d77e27b9702ca228

  Alpha architecture:

      
      Size/MD5 checksum:   814744 342a3a95c73aa998461bb7519f1b6d6a
      
      Size/MD5 checksum:    75134 574f070f7a7fbd6a43246b42a1db9a39
      
      Size/MD5 checksum:    59926 c93d20eeb1563fb78c5085453abebd4b

  ARM architecture:

      
      Size/MD5 checksum:   724730 3b83ffa98670b7f9fe8eb431cd7e479b
      
      Size/MD5 checksum:    72542 efd5e8842815d2928d5bd4033907dce0
      
      Size/MD5 checksum:    58278 f436043d4b1139179af520a7a6b1b8d6

  Intel IA-32 architecture:

      
      Size/MD5 checksum:   698508 0aedc49b881f8d780c55290e09924efe
      
      Size/MD5 checksum:    72896 3277f9f2a974093b22d85dcbe8fd86ff
      
      Size/MD5 checksum:    57538 ccf05d0a3027e2f54253b023f139005e

  Intel IA-64 architecture:

      
      Size/MD5 checksum:   952742 e4e67ae336927d9816941016eeccccea
      
      Size/MD5 checksum:    78324 19c0e74ae46fe1f158cf7988c4e9bb1b
      
      Size/MD5 checksum:    62594 6cb77e23ac2d571d6e9c9ca9b993ed2b

  HP Precision architecture:

      
      Size/MD5 checksum:   778878 f39bf46bd07598ba48783eb8ddd392a7
      
      Size/MD5 checksum:    73912 f315c3aba6b2e47f8ab96741cdb0738a
      
      Size/MD5 checksum:    59422 329334888b68fed99760a6f2749010b1

  Motorola 680x0 architecture:

      
      Size/MD5 checksum:   664804 d3e929ea6f786b8791ce20077ef62872
      
      Size/MD5 checksum:    71856 535cd33a38f10d8813bbfab75591b956
      
      Size/MD5 checksum:    57496 63e90d2bda866227a745fcad95c45d5a

  Big endian MIPS architecture:

      
      Size/MD5 checksum:   764688 c6eefe3b6f9b8b4f5df943baa6a7a5dd
      
      Size/MD5 checksum:    73436 d5e34594b15e52097a84f5dabd3ec100
      
      Size/MD5 checksum:    58584 d9a275f87449d3531c302b531091800c

  Little endian MIPS architecture:

      
      Size/MD5 checksum:   763980 9f987ecd9a8ff462dbf1263739f1b8f1
      
      Size/MD5 checksum:    73432 e8b9c5bd013b013c6e859dc3af31dd0e
      
      Size/MD5 checksum:    58566 0b4cce0a9c8f989259dae10cf7fe957d

  PowerPC architecture:

      
      Size/MD5 checksum:   721636 0d9260b21bca35c26ed15d9a423d469f
      
      Size/MD5 checksum:    72498 b323cd2d039903ae92c0b433062ef376
      
      Size/MD5 checksum:    58170 19070ddbd50f03df0d0d9d0a4832781c

  IBM S/390 architecture:

      
      Size/MD5 checksum:   711180 80e6122e4505a03aa0ebee9993fb5c18
      
      Size/MD5 checksum:    72856 0b79555fe254218e3a159b23065f949c
      
      Size/MD5 checksum:    58718 de157f9dad34a4f28b2b41c6562ea2f1

  Sun Sparc architecture:

      
      Size/MD5 checksum:   723914 f3465e678067c079e1e9e2d4abca0cca
      
      Size/MD5 checksum:    75184 2e49570a56c5741aa3190b473e6ec920
      
      Size/MD5 checksum:    60592 eba58b5789a7eca6c7d91ff4a7f7c2fb

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb  Debian -- Security Information  stable/updates main
For dpkg-ftp:    dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and  http://packages.debian.org/

Debian: squid ACL bypass vulnerability

April 5, 2004
A URL can be crafted to be ignored (and automatically pass) by Squid's ACL system.

Summary

A vulnerability was discovered in squid, an Internet object cache,
whereby access control lists based on URLs could be bypassed
(CAN-2004-0189). Two other bugs were also fixed with patches
squid-2.4.STABLE7-url_escape.patch (a buffer overrun which does not
appear to be exploitable) and squid-2.4.STABLE7-url_port.patch (a
potential denial of service).

For the stable distribution (woody) these problems have been fixed in
version 2.4.6-2woody2.

For the unstable distribution (sid) these problems have been fixed in
version 2.5.5-1.

We recommend that you update your squid package.

Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:


Size/MD5 checksum: 621 d61b7bf783830f071f5f091db85864aa

Size/MD5 checksum: 224311 e1fbff609b3957f2f0a834fe5ffba8dd

Size/MD5 checksum: 1081920 59ce2c58da189626d77e27b9702ca228

Alpha architecture:


Size/MD5 checksum: 814744 342a3a95c73aa998461bb7519f1b6d6a

Size/MD5 checksum: 75134 574f070f7a7fbd6a43246b42a1db9a39

Size/MD5 checksum: 59926 c93d20eeb1563fb78c5085453abebd4b

ARM architecture:


Size/MD5 checksum: 724730 3b83ffa98670b7f9fe8eb431cd7e479b

Size/MD5 checksum: 72542 efd5e8842815d2928d5bd4033907dce0

Size/MD5 checksum: 58278 f436043d4b1139179af520a7a6b1b8d6

Intel IA-32 architecture:


Size/MD5 checksum: 698508 0aedc49b881f8d780c55290e09924efe

Size/MD5 checksum: 72896 3277f9f2a974093b22d85dcbe8fd86ff

Size/MD5 checksum: 57538 ccf05d0a3027e2f54253b023f139005e

Intel IA-64 architecture:


Size/MD5 checksum: 952742 e4e67ae336927d9816941016eeccccea

Size/MD5 checksum: 78324 19c0e74ae46fe1f158cf7988c4e9bb1b

Size/MD5 checksum: 62594 6cb77e23ac2d571d6e9c9ca9b993ed2b

HP Precision architecture:


Size/MD5 checksum: 778878 f39bf46bd07598ba48783eb8ddd392a7

Size/MD5 checksum: 73912 f315c3aba6b2e47f8ab96741cdb0738a

Size/MD5 checksum: 59422 329334888b68fed99760a6f2749010b1

Motorola 680x0 architecture:


Size/MD5 checksum: 664804 d3e929ea6f786b8791ce20077ef62872

Size/MD5 checksum: 71856 535cd33a38f10d8813bbfab75591b956

Size/MD5 checksum: 57496 63e90d2bda866227a745fcad95c45d5a

Big endian MIPS architecture:


Size/MD5 checksum: 764688 c6eefe3b6f9b8b4f5df943baa6a7a5dd

Size/MD5 checksum: 73436 d5e34594b15e52097a84f5dabd3ec100

Size/MD5 checksum: 58584 d9a275f87449d3531c302b531091800c

Little endian MIPS architecture:


Size/MD5 checksum: 763980 9f987ecd9a8ff462dbf1263739f1b8f1

Size/MD5 checksum: 73432 e8b9c5bd013b013c6e859dc3af31dd0e

Size/MD5 checksum: 58566 0b4cce0a9c8f989259dae10cf7fe957d

PowerPC architecture:


Size/MD5 checksum: 721636 0d9260b21bca35c26ed15d9a423d469f

Size/MD5 checksum: 72498 b323cd2d039903ae92c0b433062ef376

Size/MD5 checksum: 58170 19070ddbd50f03df0d0d9d0a4832781c

IBM S/390 architecture:


Size/MD5 checksum: 711180 80e6122e4505a03aa0ebee9993fb5c18

Size/MD5 checksum: 72856 0b79555fe254218e3a159b23065f949c

Size/MD5 checksum: 58718 de157f9dad34a4f28b2b41c6562ea2f1

Sun Sparc architecture:


Size/MD5 checksum: 723914 f3465e678067c079e1e9e2d4abca0cca

Size/MD5 checksum: 75184 2e49570a56c5741aa3190b473e6ec920

Size/MD5 checksum: 60592 eba58b5789a7eca6c7d91ff4a7f7c2fb

These files will probably be moved into the stable distribution on
its next revision.

For apt-get: deb Debian -- Security Information stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/



Severity
Package : squid
Problem-Type : ACL bypass
Debian-specific: no
CVE Ids : CAN-2004-0189

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved