OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 01-Apr-2004 20:09:48 Branch: HEAD Handle: 2004040119094800 Modified files: openpkg-web/security OpenPKG-SA-2004.008-squid.txt Log: cleanups and fixes Summary: Revision Changes Path 1.2 +10 -18 openpkg-web/security/OpenPKG-SA-2004.008-squid.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.008-squid.txt ============================================================================ $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.008-squid.txt --- openpkg-web/security/OpenPKG-SA-2004.008-squid.txt 1 Apr 2004 15:57:40 -0000 1.1 +++ openpkg-web/security/OpenPKG-SA-2004.008-squid.txt 1 Apr 2004 18:09:48 -0000 1.2 @@ -15,25 +15,20 @@ OpenPKG 2.0 <= squid-2.5.4-2.0.0 >= squid-2.5.4-2.0.1 OpenPKG 1.3 <= squid-2.5.3-1.3.0 >= squid-2.5.3-1.3.1 -Affected Releases: Dependent Packages: -OpenPKG CURRENT calamaris -OpenPKG 2.0 calamaris -OpenPKG 1.3 calamaris +Dependent Packages: none Description: - According to security advisory from the squid developers [0] - a vulnerability exists in the URL unescape logic of the Squid - Web Proxy Cache [1]. This bug could allow an attacker to bypass - certain access controls by inserting a NUL character into - decoded URLs. - - The Common Vulnerabilities and Exposures (CVE) project assigned - the id CAN-2004-0189 [2] to the problem. + According to a security advisory [0] from the vendor, a vulnerability + exists in the URL unescaping logic of the Squid Web Proxy Cache + [1]. This bug could allow an attacker to bypass certain access + controls by inserting a NUL character into decoded URLs. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0189 [2] to the problem. Please check whether you are affected by running "<prefix>/bin/rpm -q squid". If you have the "squid" package installed and its version is affected (see above), we recommend that you immediately upgrade - it (see Solution) and any dependent packages (see above). [3][4] + it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release @@ -53,9 +48,6 @@ $ <prefix>/bin/openpkg rpm --rebuild squid-2.5.4-2.0.1.src.rpm $ su - # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/squid-2.5.4-2.0.1.*.rpm - - Additionally, we recommend that you rebuild and reinstall - all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: @@ -64,8 +56,8 @@ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary - [5] ftp://ftp.openpkg.org/release/1.3/UPD/foo-1.2.3-1.3.1.src.rpm - [6] ftp://ftp.openpkg.org/release/2.0/UPD/foo-1.2.3-2.0.1.src.rpm + [5] ftp://ftp.openpkg.org/release/1.3/UPD/squid-2.5.3-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/release/2.0/UPD/squid-2.5.4-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]