OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 01-Apr-2004 20:09:48
Branch: HEAD Handle: 2004040119094800
Modified files:
openpkg-web/security OpenPKG-SA-2004.008-squid.txt
Log:
cleanups and fixes
Summary:
Revision Changes Path
1.2 +10 -18 openpkg-web/security/OpenPKG-SA-2004.008-squid.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.008-squid.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.008-squid.txt
--- openpkg-web/security/OpenPKG-SA-2004.008-squid.txt 1 Apr 2004 15:57:40
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2004.008-squid.txt 1 Apr 2004 18:09:48
-0000 1.2
@@ -15,25 +15,20 @@
OpenPKG 2.0 <= squid-2.5.4-2.0.0 >= squid-2.5.4-2.0.1
OpenPKG 1.3 <= squid-2.5.3-1.3.0 >= squid-2.5.3-1.3.1
-Affected Releases: Dependent Packages:
-OpenPKG CURRENT calamaris
-OpenPKG 2.0 calamaris
-OpenPKG 1.3 calamaris
+Dependent Packages: none
Description:
- According to security advisory from the squid developers [0]
- a vulnerability exists in the URL unescape logic of the Squid
- Web Proxy Cache [1]. This bug could allow an attacker to bypass
- certain access controls by inserting a NUL character into
- decoded URLs.
-
- The Common Vulnerabilities and Exposures (CVE) project assigned
- the id CAN-2004-0189 [2] to the problem.
+ According to a security advisory [0] from the vendor, a vulnerability
+ exists in the URL unescaping logic of the Squid Web Proxy Cache
+ [1]. This bug could allow an attacker to bypass certain access
+ controls by inserting a NUL character into decoded URLs. The
+ Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2004-0189 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm
-q squid". If you have the "squid" package installed and its version
is affected (see above), we recommend that you immediately upgrade
- it (see Solution) and any dependent packages (see above). [3][4]
+ it (see Solution). [3][4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
@@ -53,9 +48,6 @@
$ <prefix>/bin/openpkg rpm --rebuild squid-2.5.4-2.0.1.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/squid-2.5.4-2.0.1.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________
References:
@@ -64,8 +56,8 @@
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
- [5] ftp://ftp.openpkg.org/release/1.3/UPD/foo-1.2.3-1.3.1.src.rpm
- [6] ftp://ftp.openpkg.org/release/2.0/UPD/foo-1.2.3-2.0.1.src.rpm
+ [5] ftp://ftp.openpkg.org/release/1.3/UPD/squid-2.5.3-1.3.1.src.rpm
+ [6] ftp://ftp.openpkg.org/release/2.0/UPD/squid-2.5.4-2.0.1.src.rpm
[7] ftp://ftp.openpkg.org/release/1.3/UPD/
[8] ftp://ftp.openpkg.org/release/2.0/UPD/
[9] http://www.openpkg.org/security.html#signature
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
