Red Hat Security Advisory
Synopsis: Updated squid package fixes security vulnerability
Advisory ID: RHSA-2004:134-01
Issue date: 2004-03-29
Updated on: 2004-03-29
Product: Red Hat Linux
Keywords: phishing spoofing
Cross references:
Obsoletes:
CVE Names: CAN-2004-0189
1. Topic:
An updated squid package is avaliable that fixes a security
vulnerability in URL decoding and provides a new ACL type for
protecting vulnerable clients.
2. Relevant releases/architectures:
Red Hat Linux 9 – i386
3. Problem description:
Squid is a full-featured Web proxy cache.
A bug was found in the processing of %-encoded characters in a
URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid
configuration uses Access Control Lists (ACLs), a remote attacker
could create URLs that would not be correctly tested against
Squid’s ACLs, potentially allowing clients to access prohibited
URLs.
Users of Squid should update to these erratum packages which are
not vulnerable to this issue.
In addition, these packages contain a new Access Control type,
“urllogin”, which can be used to protect vulnerable Microsoft
Internet Explorer clients from accessing URLs that contain login
information. Such URLs are often used by fraudsters to trick web
users into revealing valuable personal data.
Note that the default Squid configuration does not make use of
this new access control type. You must explicitly configure Squid
with ACLs that use this new type, in accordance with your own site
policies.
4. Solution:
Before applying this update, make sure all previously released
errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.
Please note that this update is also available via Red Hat
Network. Many people find this an easier way to apply updates. To
use Red Hat Network, launch the Red Hat Update Agent with the
following command:
up2date
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.
If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the up2date
client with an updated certificate. The latest version of up2date
is available from the Red Hat FTP site and may also be downloaded
directly from the RHN website:
https://rhn.redhat.com/help/latest-up2date.pxt
5. RPMs required:
Red Hat Linux 9:
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/squid-2.5.STABLE1-3.9.src.rpm
i386:
ftp://updates.redhat.com/9/en/os/i386/squid-2.5.STABLE1-3.9.i386.rpm
6. Verificationx:
MD5 sum Package Name
3a78ab4b0423bdbfc5b6bb36897b78ce
9/en/os/SRPMS/squid-2.5.STABLE1-3.9.src.rpm
348ca4845204fadad07116be64d9767e
9/en/os/i386/squid-2.5.STABLE1-3.9.i386.rpm
These packages are GPG signed by Red Hat for security. Our key
is available from https://www.redhat.com/security/keys.html
You can verify each package with the following command:
rpm –checksig -v <filename>
If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
md5sum <filename>
7. References:
http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
http://www.microsoft.com/security/incident/spoof.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More
contact details at https://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.