rhsa-2005:489
Vulnerability from csaf_redhat
Published
2005-06-13 12:08
Modified
2024-11-21 23:44
Summary
Red Hat Security Advisory: squid security update

Notes

Topic
An updated squid package that fixes several security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team.
Details
Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0718 to this issue. A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall, it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1519 to this issue. Additionally, this update fixes the following bugs: - squid fails in the unpacking of squid-2.4.STABLE7-1.21as.5.src.rpm Users of Squid should upgrade to this updated package, which contains backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated squid package that fixes several security issues is now available.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Squid is a full-featured Web proxy cache. \n \nA bug was found in the way Squid handles PUT and POST requests. It is\npossible for an authorised remote user to cause a failed PUT or POST\nrequest which can cause Squid to crash. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2005-0718 to\nthis issue.\n \nA bug was found in the way Squid handles access to the cachemgr.cgi script. \nIt is possible for an authorised remote user to bypass access control\nlists with this flaw. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-1999-0710 to this issue.\n \nA bug was found in the way Squid handles DNS replies.  If the port Squid\nuses for DNS requests is not protected by a firewall, it is possible for a\nremote attacker to spoof DNS replies, possibly redirecting a user to\nspoofed or malicious content. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name  CAN-2005-1519 to this issue. \n \nAdditionally, this update fixes the following bugs:   \n - squid fails in the unpacking of squid-2.4.STABLE7-1.21as.5.src.rpm\n \nUsers of Squid should upgrade to this updated package, which contains\nbackported patches to correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2005:489",
        "url": "https://access.redhat.com/errata/RHSA-2005:489"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "125007",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=125007"
      },
      {
        "category": "external",
        "summary": "151423",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=151423"
      },
      {
        "category": "external",
        "summary": "153960",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=153960"
      },
      {
        "category": "external",
        "summary": "156161",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=156161"
      },
      {
        "category": "external",
        "summary": "157455",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=157455"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2005/rhsa-2005_489.json"
      }
    ],
    "title": "Red Hat Security Advisory: squid security update",
    "tracking": {
      "current_release_date": "2024-11-21T23:44:21+00:00",
      "generator": {
        "date": "2024-11-21T23:44:21+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2005:489",
      "initial_release_date": "2005-06-13T12:08:00+00:00",
      "revision_history": [
        {
          "date": "2005-06-13T12:08:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2005-06-13T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T23:44:21+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                "product": {
                  "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux Advanced Workstation 2.1",
                "product": {
                  "name": "Red Hat Linux Advanced Workstation 2.1",
                  "product_id": "Red Hat Linux Advanced Workstation 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 2.1",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 2.1",
                  "product_id": "Red Hat Enterprise Linux ES version 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-1999-0710",
      "discovery_date": "2005-04-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616452"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Enterprise Linux ES version 2.1",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-1999-0710"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616452",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616452"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-1999-0710",
          "url": "https://www.cve.org/CVERecord?id=CVE-1999-0710"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-1999-0710",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-1999-0710"
        }
      ],
      "release_date": "1999-07-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2005-06-13T12:08:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  Use Red Hat\nNetwork to download and update your packages.  To launch the Red Hat\nUpdate Agent, use the following command:\n\n    up2date\n\nFor information on how to install packages manually, refer to the\nfollowing Web page for the System Administration or Customization\nguide specific to your system:\n\n    http://www.redhat.com/docs/manuals/enterprise/",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Enterprise Linux ES version 2.1",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2005:489"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2005-0718",
      "discovery_date": "2005-03-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1617563"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previously freed memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Enterprise Linux ES version 2.1",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2005-0718"
        },
        {
          "category": "external",
          "summary": "RHBZ#1617563",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617563"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2005-0718",
          "url": "https://www.cve.org/CVERecord?id=CVE-2005-0718"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2005-0718",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-0718"
        }
      ],
      "release_date": "2005-03-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2005-06-13T12:08:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  Use Red Hat\nNetwork to download and update your packages.  To launch the Red Hat\nUpdate Agent, use the following command:\n\n    up2date\n\nFor information on how to install packages manually, refer to the\nfollowing Web page for the System Administration or Customization\nguide specific to your system:\n\n    http://www.redhat.com/docs/manuals/enterprise/",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Enterprise Linux ES version 2.1",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2005:489"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2005-1519",
      "discovery_date": "2005-05-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1617653"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Enterprise Linux ES version 2.1",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2005-1519"
        },
        {
          "category": "external",
          "summary": "RHBZ#1617653",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617653"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2005-1519",
          "url": "https://www.cve.org/CVERecord?id=CVE-2005-1519"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2005-1519",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1519"
        }
      ],
      "release_date": "2005-05-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2005-06-13T12:08:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  Use Red Hat\nNetwork to download and update your packages.  To launch the Red Hat\nUpdate Agent, use the following command:\n\n    up2date\n\nFor information on how to install packages manually, refer to the\nfollowing Web page for the System Administration or Customization\nguide specific to your system:\n\n    http://www.redhat.com/docs/manuals/enterprise/",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Enterprise Linux ES version 2.1",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2005:489"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "security flaw"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.