Security Advisory squid security update

Advisory: RHSA-2004:133-12
Type: Security Advisory
Severity: Low
Issued on: 2004-04-14
Last updated on: 2004-04-14
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2004-0189

Details

An updated squid package is avaliable that fixes a security vulnerability in
URL decoding and provides a new ACL type for protecting vulnerable clients.

Squid is a full-featured Web proxy cache.

A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs.

Users of Squid should update to these erratum packages which are not
vulnerable to this issue.

In addition, these packages contain a new Access Control type, "urllogin",
which can be used to protect vulnerable Microsoft Internet Explorer clients
from accessing URLs that contain login information. Such URLs are often
used by fraudsters to trick web users into revealing valuable personal data.

Note that the default Squid configuration does not make use of this new
access control type. You must explicitly configure Squid with ACLs that
use this new type, in accordance with your own site policies.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
squid-2.4.STABLE6-10.21as.src.rpm     465f0c77fd485041607ffe5b65e3adfa
 
IA-32:
squid-2.4.STABLE6-10.21as.i386.rpm
File outdated by:  RHSA-2008:0214		     2f72879474d822e5ee35c6169f3d350d
 
IA-64:
squid-2.4.STABLE6-10.21as.ia64.rpm
File outdated by:  RHSA-2008:0214		     a039857fa6ac4492986f508f0554c75b
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
squid-2.5.STABLE3-5.3E.src.rpm     2732d4487caab1fa0d3238dbe2c6a1e6
 
IA-32:
squid-2.5.STABLE3-5.3E.i386.rpm
File outdated by:  RHSA-2008:0214		     f49a76f72f5811387b337cbfe6fea983
 
IA-64:
squid-2.5.STABLE3-5.3E.ia64.rpm
File outdated by:  RHSA-2008:0214		     f436a858a28cf351802a7ae4b792d9ca
 
PPC:
squid-2.5.STABLE3-5.3E.ppc.rpm
File outdated by:  RHSA-2008:0214		     3c5c99d1fea5ab90596557a78ef21a91
squid-2.5.STABLE3-5.3E.ppc64.rpm     f230504e2f3aee72fe46754ae0dc0e9e
 
s390:
squid-2.5.STABLE3-5.3E.s390.rpm
File outdated by:  RHSA-2008:0214		     9370229f49341fa002dfc566edbae0e6
 
s390x:
squid-2.5.STABLE3-5.3E.s390x.rpm
File outdated by:  RHSA-2008:0214		     5b5b760cb7b52691c1055b87bdc33183
 
x86_64:
squid-2.5.STABLE3-5.3E.x86_64.rpm
File outdated by:  RHSA-2008:0214		     9041369b91c153bb4f7ba392c62327ae
 
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
squid-2.4.STABLE6-10.21as.src.rpm     465f0c77fd485041607ffe5b65e3adfa
 
IA-32:
squid-2.4.STABLE6-10.21as.i386.rpm
File outdated by:  RHSA-2008:0214		     2f72879474d822e5ee35c6169f3d350d
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
squid-2.5.STABLE3-5.3E.src.rpm     2732d4487caab1fa0d3238dbe2c6a1e6
 
IA-32:
squid-2.5.STABLE3-5.3E.i386.rpm
File outdated by:  RHSA-2008:0214		     f49a76f72f5811387b337cbfe6fea983
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
squid-2.5.STABLE3-5.3E.src.rpm     2732d4487caab1fa0d3238dbe2c6a1e6
 
IA-32:
squid-2.5.STABLE3-5.3E.i386.rpm
File outdated by:  RHSA-2008:0214		     f49a76f72f5811387b337cbfe6fea983
 
IA-64:
squid-2.5.STABLE3-5.3E.ia64.rpm
File outdated by:  RHSA-2008:0214		     f436a858a28cf351802a7ae4b792d9ca
 
x86_64:
squid-2.5.STABLE3-5.3E.x86_64.rpm
File outdated by:  RHSA-2008:0214		     9041369b91c153bb4f7ba392c62327ae
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
squid-2.4.STABLE6-10.21as.src.rpm     465f0c77fd485041607ffe5b65e3adfa
 
IA-64:
squid-2.4.STABLE6-10.21as.ia64.rpm
File outdated by:  RHSA-2008:0214		     a039857fa6ac4492986f508f0554c75b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

118032 - CAN-2004-0189 Squid ACL bypass


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0189
http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
http://www.microsoft.com/security/incident/spoof.asp

Keywords

Phishing, Spoofing,

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/