diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-01:61.squid.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-01:61.squid.asc | 109 |
1 files changed, 0 insertions, 109 deletions
diff --git a/share/security/advisories/FreeBSD-SA-01:61.squid.asc b/share/security/advisories/FreeBSD-SA-01:61.squid.asc deleted file mode 100644 index d90652ddde..0000000000 --- a/share/security/advisories/FreeBSD-SA-01:61.squid.asc +++ /dev/null @@ -1,109 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-01:61 Security Advisory - FreeBSD, Inc. - -Topic: Squid in accelerator-only mode ignores ACLs - -Category: ports -Modules: squid22, squid23, squid24 -Announced: 2001-10-08 -Credits: Paul Nasrat <pnasrat@uk.now.com> -Affects: Ports collection prior to the correction date. -Corrected: 2001-07-29 12:29:00 (squid23) - 2001-08-28 16:48:35 2001 UTC (squid24) -FreeBSD only: NO - -I. Background - -The Squid Internet Object Cache is a web proxy/cache. - -II. Problem Description - -If squid is configured in acceleration-only mode (http_accel_host is -set, but http_accel_with_proxy is off), then as a result of a bug, -access control lists (ACLs) are ignored. - -III. Impact - -A remote attacker may use the squid server in order to issue requests -to hosts that are otherwise inaccessible. Because the squid server -processes these requests as HTTP requests, the attacker cannot send or -retrieve arbitrary data. However, the attacker could use squid's -response to determine if a particular port is open on a victim host. -Therefore, the squid server may be used to conduct a port scan. - -IV. Workaround - -1) Do not run squid in acceleration-only mode. - -2) Deinstall the squid port/package if you have it installed. - -V. Solution - -The port squid-2.3_1 and later 2.3 versions, and the port squid-2.4_5 -and later 2.4 versions include fixes for this vulnerability. The -squid-2.3 and squid-2.2 ports have been deprecated and removed from -the ports collection, and users are advised to upgrade to squid-2.4 as -soon as possible. - -1) Upgrade your entire ports collection and rebuild the squid port. - -2) Deinstall the old package and install a new package dated after the -correction date, obtained from the following directories: - -[i386] -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/squid-2.3_1.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/squid-2.4_5.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/squid-2.3_1.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/squid-2.4_5.tgz - -[alpha] -Packages are not automatically generated for the alpha architecture at -this time due to lack of build resources. - -3) Download a new port skeleton for the procmail port from: - -http://www.freebsd.org/ports/ - -and use it to rebuild the port. - -4) Use the portcheckout utility to automate option (3) above. The -portcheckout port is available in /usr/ports/devel/portcheckout or the -package can be obtained from: - -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in the FreeBSD ports collection. - -Affected port - Path Revision -- ------------------------------------------------------------------------- -squid22 - *NOT CORRECTED* -squid23 - ports/www/squid23/Makefile 1.78 - ports/www/squid23/distinfo 1.57 -squid24 - ports/www/squid24/Makefile 1.84 - ports/www/squid24/distinfo 1.61 -- ------------------------------------------------------------------------- - -VII. References - -<URL:http://www.squid-cache.org/bugs/show_bug.cgi?id=215> ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.0.6 (FreeBSD) -Comment: For info see http://www.gnupg.org - -iQCVAwUBO8IVHVUuHi5z0oilAQGK1AP+MZ+Drf7VzdO1O0nr4SIIS8/FGmLYsIha -WsjWUBpmIeQk/c8jjLDMu32yIRoZNSu3F1Alc4XieDznAE8ZjburLMHY9RrQHOOY -WKuBcjjgSpmeB84MVIT0nCOtlI6+cmk7gLflxNYwUY1QKkIff5KrhTRqByJnICW3 -+g0WZtpdinE= -=js2W ------END PGP SIGNATURE----- |