• info
• discussion
• exploit
• solution
• references

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

Solution:
The vendor has released version 2.5 STABLE5 to address this issue.

Turbolinux has released an advisory (TLSA-2004-24) and fixes to address this issue. Customers are advised to see the referenced advisory for further details regarding obtaining and applying appropriate fixes.

SGI has released an advisory 20040404-01-U and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes. Fixes are linked below.

Red Hat has released an advisory (RHSA-2004:133-12) and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Conectiva have released a security advisory (CLA-2004:838), and updates
to address this issue in Conectiva products. Users are advised to apply
these updates as soon as possible, further details regarding obtaining
and installing these updates can be found in the referenced advisory.

Red Hat has released an advisory (RHSA-2004:134-01) and fixes to address this issue on Red Hat Linux 9 platforms. Customers affected by this issue are advised to apply the appropriate updates. Please see referenced advisory for additional information, fix is linked below.

Gentoo has released advisory GLSA 200403-11 to address this issue. To update the system, enter the following commands:
# emerge sync
# emerge -pv ">=net-www/squid-2.5.5"
# emerge ">=net-www/squid-2.5.5"

Mandrake has released an advisory MDKSA-2004:025 to address this issue. Please see the referenced advisory for more information.

OpenPKG has released an advisory OpenPKG-SA-2004.008 to address this issue in OpenPKG CURRENT, 2.0 and 1.3. Please see the referenced advisory for more information.

Debian has released advisory DSA 474-1 dealing with this issue.

RedHat has released an advisory FEDORA-2004-104 to address this issue in Fedora. Please see the referenced advisory for more information.

Trustix has released an advisory TSL-2004-0019 with fixes to address this issue. Please see the referenced advisory for more information.

SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI
ProPack 3 to address this and other issues. Please see the referenced
advisory for more information.

SCO has released an advisory (SCOSA-2004.13) to address this issue for OpenServer 5.0.6 and 5.0.7. Please see the referenced advisory for further information on obtaining fixes for affected operating systems.

SCO has released an advisory (SCOSA-2005.16) to address this issue in UnixWare 7.1.4. Please see the referenced advisory for further information on obtaining fixes.


Squid Web Proxy Cache 2.0 PATCH2

• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.1 PATCH2

• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.3 .STABLE4

• TurboLinux squid-2.5.STABLE6-7.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/ updates/RPMS/squid-2.5.STABLE6-7.i586.rpm

Squid Web Proxy Cache 2.3 .STABLE5

• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

SGI ProPack 2.3

• SGI patch10067.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/patch1 0067.tar.gz

Squid Web Proxy Cache 2.4 .STABLE7

• Mandrake squid-2.4.STABLE7-1.2.M82mdk.i586.rpm
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake squid-2.4.STABLE7-2.1.C21mdk.i586.rpm
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake squid-2.4.STABLE7-2.1.C21mdk.x86_64.rpm
  http://www.mandrakesecure.net/en/ftp.php


• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz


• Trustix squid-2.4.STABLE7-2tr.i586.rpm
  Secure Linux 1.5
  ftp://ftp.trustix.org/pub/trustix/updates/

Squid Web Proxy Cache 2.4 .STABLE6

• TurboLinux squid-2.5.STABLE6-7.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updat es/RPMS/squid-2.5.STABLE6-7.i586.rpm


• TurboLinux squid-2.5.STABLE6-7.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/ updates/RPMS/squid-2.5.STABLE6-7.i586.rpm

Squid Web Proxy Cache 2.4

• Conectiva squid-2.4.7-1U80_4cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-2.4.7-1U80_4cl.i386.r pm


• Conectiva squid-2.5.5-25761U90_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-2.5.5-25761U90_3cl.i3 86.rpm


• Conectiva squid-auth-2.4.7-1U80_4cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-auth-2.4.7-1U80_4cl.i 386.rpm


• Conectiva squid-auth-2.5.5-25761U90_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-auth-2.5.5-25761U90_3 cl.i386.rpm


• Conectiva squid-doc-2.4.7-1U80_4cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-doc-2.4.7-1U80_4cl.i3 86.rpm


• Conectiva squid-extra-templates-2.5.5-25761U90_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-extra-templates-2.5.5 -25761U90_3cl.i386.rpm


• Conectiva squid-templates-2.4.7-1U80_4cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-templates-2.4.7-1U80_ 4cl.i386.rpm


• Debian squid-cgi_2.4.6-2woody1_mipsel.deb
  Little Endian MIPS Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody1_mipsel.deb


• Debian squid-cgi_2.4.6-2woody2_alpha.deb
  Alpha Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_alpha.deb


• Debian squid-cgi_2.4.6-2woody2_arm.deb
  ARM Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_arm.deb


• Debian squid-cgi_2.4.6-2woody2_hppa.deb
  HP Precision Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_hppa.deb


• Debian squid-cgi_2.4.6-2woody2_i386.deb
  IA-32 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_i386.deb


• Debian squid-cgi_2.4.6-2woody2_ia64.deb
  IA-64 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_ia64.deb


• Debian squid-cgi_2.4.6-2woody2_m68k.deb
  Motorola 680x0 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_m68k.deb


• Debian squid-cgi_2.4.6-2woody2_mips.deb
  Big Endian MIPS Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_mips.deb


• Debian squid-cgi_2.4.6-2woody2_powerpc.deb
  PowerPC Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_powerpc.deb


• Debian squid-cgi_2.4.6-2woody2_s390.deb
  ISM S/390 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_s390.deb


• Debian squid-cgi_2.4.6-2woody2_sparc.deb
  Sun Sparc Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_sparc.deb


• Debian squid_2.4.6-2woody1_mipsel.deb
  Little Endian MIPS Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y1_mipsel.deb


• Debian squid_2.4.6-2woody2_arm.deb
  ARM Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_arm.deb


• Debian squid_2.4.6-2woody2_hppa.deb
  HP Precision Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_hppa.deb


• Debian squid_2.4.6-2woody2_i386.deb
  IA-32 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_i386.deb


• Debian squid_2.4.6-2woody2_ia64.deb
  IA-64 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_ia64.deb


• Debian squid_2.4.6-2woody2_m68k.deb
  Motorola 680x0 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_m68k.deb


• Debian squid_2.4.6-2woody2_mips.deb
  Big Endian MIPS Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_mips.deb


• Debian squid_2.4.6-2woody2_powerpc.deb
  PowerPC Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_powerpc.deb


• Debian squid_2.4.6-2woody2_s390.deb
  ISM S/390 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_s390.deb


• Debian squid_2.4.6-2woody2_sparc.deb
  Sun Sparc Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_sparc.deb


• Debian squidclient_2.4.6-2woody1_mipsel.deb
  Little Endian MIPS Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody1_mipsel.deb


• Debian squidclient_2.4.6-2woody2_alpha.deb
  Alpha Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_alpha.deb


• Debian squidclient_2.4.6-2woody2_arm.deb
  ARM Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_arm.deb


• Debian squidclient_2.4.6-2woody2_hppa.deb
  HP Precision Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_hppa.deb


• Debian squidclient_2.4.6-2woody2_i386.deb
  IA-32 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_i386.deb


• Debian squidclient_2.4.6-2woody2_ia64.deb
  IA-64 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_ia64.deb


• Debian squidclient_2.4.6-2woody2_m68k.deb
  Motorola 680x0 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_m68k.deb


• Debian squidclient_2.4.6-2woody2_mips.deb
  Big Endian MIPS Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_mips.deb


• Debian squidclient_2.4.6-2woody2_powerpc.deb
  PowerPC Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_powerpc.deb


• Debian squidclient_2.4.6-2woody2_s390.deb
  ISM S/390 Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_s390.deb


• Debian squidclient_2.4.6-2woody2_sparc.deb
  Sun Sparc Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_sparc.deb


• Debian squid_2.4.6-2woody2_alpha.deb
  Alpha Architecture:
  http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_alpha.deb


• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.4 .STABLE2

• TurboLinux squid-2.5.STABLE6-7.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updat es/RPMS/squid-2.5.STABLE6-7.i586.rpm

SGI ProPack 2.4

• SGI patch10067.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/patch1 0067.tar.gz

Squid Web Proxy Cache 2.5 .STABLE4

• Mandrake squid-2.5.STABLE4-1.100mdk.i586.rpm
  http://www.mandrakesecure.net/en/ftp.php


• OpenPKG squid-2.5.4-2.0.1.src.rpm
  ftp://ftp.openpkg.org/release/2.0/UPD/squid-2.5.4-2.0.1.src.rpm


• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.5 .STABLE1

• Mandrake squid-2.5.STABLE1-7.1.91mdk.i586.rpm
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake squid-2.5.STABLE1-7.1.91mdk.ppc.rpm
  http://www.mandrakesecure.net/en/ftp.php

Squid Web Proxy Cache 2.5 .STABLE3

• Mandrake squid-2.5.STABLE3-3.1.92mdk.amd64.rpm
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake squid-2.5.STABLE3-3.1.92mdk.i586.rpm
  http://www.mandrakesecure.net/en/ftp.php


• OpenPKG squid-2.5.3-1.3.1.src.rpm
  ftp://ftp.openpkg.org/release/1.3/UPD/squid-2.5.3-1.3.1.src.rpm


• RedHat squid-2.5.STABLE3-1.fc1.i386.rpm
  i386 platform.
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /squid-2.5.STABLE3-1.fc1.i386.rpm


• RedHat squid-2.5.STABLE3-1.fc1.x86_64.rpm
  i386 platform.
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/x86_64/squid-2.5.STABLE3-1.fc1.x86_64.rpm


• RedHat squid-debuginfo-2.5.STABLE3-1.fc1.i386.rpm
  i386 platform.
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/squid-debuginfo-2.5.STABLE3-1.fc1.i386.rpm


• RedHat squid-debuginfo-2.5.STABLE3-1.fc1.x86_64.rpm
  i386 platform.
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/x86_64/debug/squid-debuginfo-2.5.STABLE3-1.fc1.x86_64.rpm


• Squid squid-2.5.STABLE5.tar.gz
  http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

SGI ProPack 3.0

• SGI patch10075.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/3/

SCO Unixware 7.1.4

• SCO SCOSA-2005.16
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.16