The asn_parse_header function (asn1.c) in the SNMP module
for Squid Web Proxy Cache before 2.4.STABLE7 allows remote
attackers to cause a denial of service (server restart) via
certain SNMP packets with negative length fields that causes
a memory allocation error.
The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier
allows remote attackers to bypass url_regex ACLs via a URL with
a NULL ("%00") character, which causes Squid to use only a
portion of the requested URL when comparing it against the
access control lists.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0189 and CAN-2004-0918 to this issues.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 distribution
3. Solution
The proper solution is to install the latest packages.
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download squid.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/squid.pkg
or
See ftp://ftp.sco.com/pub/unixware7/714/mp/mp2/uw714mp2.txt
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189
http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
http://www.microsoft.com/security/incident/spoof.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0918
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Mitch Adair reported %00 bug and
Duane Wessels, for patching the %00 bug and adding the
urllogin ACL type.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
______
SCO Security Advisory
Subject: UnixWare 7.1.4 : squid updated package fixes several security issues
Advisory number: SCOSA-2005.16
Issue date: 2005 February 11
Cross reference: sr890343 fz529457 erg712610 sr892199 fz530514 erg712740 CAN-2004-0189 CAN-2004-0918
________________________________________________________________________
______
1. Problem Description
The asn_parse_header function (asn1.c) in the SNMP module
for Squid Web Proxy Cache before 2.4.STABLE7 allows remote
attackers to cause a denial of service (server restart) via
certain SNMP packets with negative length fields that causes
a memory allocation error.
The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier
allows remote attackers to bypass url_regex ACLs via a URL with
a NULL ("%00") character, which causes Squid to use only a
portion of the requested URL when comparing it against the
access control lists.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0189 and CAN-2004-0918 to this issues.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.16
or
The fixes are also available in SCO UnixWare 7.1.4 Mantenance Pack 2
http://www.sco.com/support/update/download/release.php?rid=58
4.2 Verification
MD5 (squid.pkg) = 6c33ff5d3b7bac965e2c816f0ae489eb
or
MD5 (uw714mp2.iso) = 335919be68f54253852cb8abca11814a
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download squid.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/squid.pkg
or
See ftp://ftp.sco.com/pub/unixware7/714/mp/mp2/uw714mp2.txt
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189
http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
http://www.microsoft.com/security/incident/spoof.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0918
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr890343 fz529457
erg712610 sr892199 fz530514 erg712740.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Mitch Adair reported %00 bug and
Duane Wessels, for patching the %00 bug and adding the
urllogin ACL type.
________________________________________________________________________
______
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)
iD8DBQFCI3A+aqoBO7ipriERAppTAJ9Fh/jKFa4KUnk9qICwuNoh+COo6QCfa6vC
W4JiUN/MzU73p3H4rcxh9lE=
=eNIb
-----END PGP SIGNATURE-----
[ reply ]