Vulnerability Bulletins |
Error de validación de acceso en Squid |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Aumento de privilegios |
| Dificulty | Experto |
| Required attacker level | Acceso remoto con cuenta |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software | Squid <=2.5 |
Description |
|
|
Se ha descubierto una vulnerabilidad en la versión 2.5 y anteriores de Squid. La vulnerabilidad reside en squid_ldap_auth que permite a usuarios remotos autenticados saltarse ACLs (access control lists) basadas en el nombre de usuario mediante un nombre de usuario con un espacio al principio o al final que es ignorado por el servidor LDAP. |
|
Solution |
|
|
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de software Squid Squid 2.5.STABLE7 - Parche http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch Debian Linux Debian Linux 3.0 Source http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6.dsc http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6.diff.gz http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz Alpha http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_alpha.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_alpha.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_alpha.deb ARM http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_arm.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_arm.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_i386.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_i386.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_ia64.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_ia64.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_ia64.deb HP Precision http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_hppa.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_hppa.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_m68k.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_m68k.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_mips.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_mips.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_mipsel.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_mipsel.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_powerpc.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_powerpc.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_s390.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_s390.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_sparc.deb http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_sparc.deb http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_sparc.deb SUSE Linux Distribuciones basadas en SUSE Linux - Actualizar mediante YaST Online Update Mandrake Linux Mandrakelinux 9.2 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/squid-2.5.STABLE3-3.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/squid-2.5.STABLE3-3.6.92mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/squid-2.5.STABLE3-3.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/squid-2.5.STABLE3-3.6.92mdk.src.rpm Mandrakelinux 10.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/squid-2.5.STABLE4-2.4.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/squid-2.5.STABLE4-2.4.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/squid-2.5.STABLE4-2.4.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/squid-2.5.STABLE4-2.4.100mdk.src.rpm Mandrakelinux 10.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/squid-2.5.STABLE6-2.3.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/squid-2.5.STABLE6-2.3.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/squid-2.5.STABLE6-2.3.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/squid-2.5.STABLE6-2.3.101mdk.src.rpm Corporate Server 2.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/squid-2.4.STABLE7-2.4.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.4.C21mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.4.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.4.C21mdk.src.rpm Corporate Server 3.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/squid-2.5.STABLE4-2.4.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/squid-2.5.STABLE4-2.4.C30mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/squid-2.5.STABLE4-2.4.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE4-2.4.C30mdk.src.rpm SUSE Linux SUSE Linux 9.2 x86 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/squid-2.5.STABLE6-6.6.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/squid-2.5.STABLE6-6.6.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/squid-2.5.STABLE6-6.6.src.rpm x86_64 ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/squid-2.5.STABLE6-6.6.x86_64.rpm ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/squid-2.5.STABLE6-6.6.x86_64.patch.rpm ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/src/squid-2.5.STABLE6-6.6.src.rpm SUSE Linux 9.1 x86 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.27.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.27.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/squid-2.5.STABLE5-42.27.src.rpm x86_64 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.27.x86_64.rpm ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.27.x86_64.patch.rpm SUSE Linux 9.0 x86 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-118.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-118.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/squid-2.5.STABLE3-118.src.rpm x86_64 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-118.x86_64.rpm ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-118.x86_64.patch.rpm ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/squid-2.5.STABLE3-118.src.rpm SUSE Linux 8.2 x86 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/squid-2.5.STABLE1-106.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/squid-2.5.STABLE1-106.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/squid-2.5.STABLE1-106.src.rpm SUSE Linux 8.1 x86 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/squid-2.4.STABLE7-288.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/squid-2.4.STABLE7-288.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/squid-2.4.STABLE7-288.src.rpm Red Hat Linux Red Hat Desktop (v. 3) SRPMS squid-2.5.STABLE3-6.3E.7.src.rpm IA-32 squid-2.5.STABLE3-6.3E.7.i386.rpm x86_64 squid-2.5.STABLE3-6.3E.7.x86_64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 2.1) SRPMS squid-2.4.STABLE7-1.21as.4.src.rpm IA-32 squid-2.4.STABLE7-1.21as.4.i386.rpm IA-64 squid-2.4.STABLE7-1.21as.4.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 3) SRPMS squid-2.5.STABLE3-6.3E.7.src.rpm IA-32 squid-2.5.STABLE3-6.3E.7.i386.rpm IA-64 squid-2.5.STABLE3-6.3E.7.ia64.rpm PPC squid-2.5.STABLE3-6.3E.7.ppc.rpm s390 squid-2.5.STABLE3-6.3E.7.s390.rpm s390x squid-2.5.STABLE3-6.3E.7.s390x.rpm x86_64 squid-2.5.STABLE3-6.3E.7.x86_64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 2.1) SRPMS squid-2.4.STABLE7-1.21as.4.src.rpm IA-32 squid-2.4.STABLE7-1.21as.4.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 3) SRPMS squid-2.5.STABLE3-6.3E.7.src.rpm IA-32 squid-2.5.STABLE3-6.3E.7.i386.rpm IA-64 squid-2.5.STABLE3-6.3E.7.ia64.rpm x86_64 squid-2.5.STABLE3-6.3E.7.x86_64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 3) SRPMS squid-2.5.STABLE3-6.3E.7.src.rpm IA-32 squid-2.5.STABLE3-6.3E.7.i386.rpm IA-64 squid-2.5.STABLE3-6.3E.7.ia64.rpm x86_64 squid-2.5.STABLE3-6.3E.7.x86_64.rpm https://rhn.redhat.com/ Red Hat Linux Advanced Workstation 2.1 Itanium Processor SRPMS squid-2.4.STABLE7-1.21as.4.src.rpm IA-64 squid-2.4.STABLE7-1.21as.4.ia64.rpm https://rhn.redhat.com/ Red Hat Linux Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) https://rhn.redhat.com/ |
|
Standar resources |
|
| Property | Value |
| CVE | CAN-2005-0173 |
| BID | |
Other resources |
|
|
Squid-2.5 Patches http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces Debian Security Advisory DSA 667-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00044.html SUSE Security Summary Report SUSE-SR:2005:003 http://www.novell.com/linux/security/advisories/2005_03_sr.html Mandrakesoft Security Advisories MDKSA-2005:034 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:034 SUSE Security Announcement SUSE-SA:2005:006 http://www.novell.com/linux/security/advisories/2005_06_squid.html Red Hat Security Advisory RHSA-2005:061-19 https://rhn.redhat.com/errata/RHSA-2005-061.html Red Hat Security Advisory RHSA-2005:060-20 https://rhn.redhat.com/errata/RHSA-2005-060.html |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2005-02-07 |
| 1.1 | Aviso emitido por Mandrake (MDKSA-2005:034). Aviso emitido por SUSE (SUSE-SA:2005:006). | 2005-02-11 |
| 1.2 | Aviso emitido por Red Hat (RHSA-2005:061-19) | 2005-02-14 |
| 1.3 | Aviso emitido por Red Hat (RHSA-2005:060-20) | 2005-02-16 |