__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2002:1
__________________________________________________________________
Advisory ID: SQUID-2002:1
Date: February 21, 2002
Affected versions: Squid-2.x up to and including 2.4.STABLE3
__________________________________________________________________
/Advisories/SQUID-2002_1.txt
__________________________________________________________________
Problem Description:
Three security issues have recently been found in the Squid-2.X
releases up to and including 2.4.STABLE3.
a) A memory leak in the optional SNMP interface to Squid,
allowing an malicious user who can send packets to the Squid SNMP
port to possibly perform an denial of service attack on the Squid
proxy service if the SNMP interface has been enabled (disabled by
default).
b) A buffer overflow in the implementation of ftp:// URLs where
users who are allowed to proxy ftp:// URLs via Squid can perform
an denial of service on the proxy service, and possibly even
trigger remote execution of code (not yet confirmed).
c) The optional HTCP interface cannot be properly disabled from
squid.conf even if the documentation claims it can. The HTCP
interface to Squid is not enabled by default, but can be enabled
at compile time using the --enable-htcp configure option and some
vendors distribute Squid binaries with HTCP enabled.
__________________________________________________________________
Updated Packages:
The Squid-2.4.STABLE4 release contains fixes for all these
problems. The Squid-2.4.STABLE4 release can be found from
ftp://ftp.squid-cache.org/pub/archive/2.4/
/Versions/v2/2.4/
or the mirrors (may take a while before all mirrors are updated).
For a list of mirror sites see
/Download/ftp-mirrors.html
/Download/http-mirrors.html
Individual patches to the mentioned issues can be found from our
patch archive for version Squid-2.4.STABLE3
/Versions/v2/2.4/bugs/
The patches should also apply with only a minimal effort to
earlier Squid versions if required.
__________________________________________________________________
Determining if your are vulnerable:
You are vulnerable to the SNMP issue if you are running any 2.x
version of squid up to squid-2.4.STABLE3 which has the SNMP agent
code compiled in (--enable-snmp configure option) and enabled in
squid.conf (snmp_port option). You can check to see whether the
SNMP code is enabled by looking for the following message in
cache.log when Squid is started:
'Accepting SNMP messages on port'
Similarly for the HTCP issue, but looking for the message
'Accepting HTCP messages on port'
The ftp:// issue cannot be verified as easily, but if you are
running Squid-2.3 or Squid-2.4 up to and including
Squid-2.4.STABLE3 then you are most likely vulnerable to the
ftp:// issue unless you have taken action.
__________________________________________________________________
Workarounds:
For the SNMP issue, make sure the SNMP port cannot be reached by
malicious users. The safest method is to disable the SNMP support
entirely in the configuration file squid.conf if SNMP has been
enabled in your binary
snmp_port 0
Or at least restrict it to only listen for SNMP on a trusted
interfaces such as localhost by using the snmp_incoming_address
directive
snmp_incoming_address 127.0.0.1
The FTP issue can be worked around by denying access to
non-anonymous FTP via Squid. Insert the following two lines at
the top of your squid.conf:
acl non-anonymous-ftp url_regex -i ^ftp://[^/@]*@
http_access deny non-anonymous-ftp
The HTCP issue cannot be worked around fully by configuration
alone, but you can restrict which IP address HTCP is listening
for messages on by using the udp_incoming_address directive. Make
sure your binary isn't compiled with support for HTCP unless you
have a reason to use HTCP.
We also encourage you to take advantage of packet filtering
features of your operating system (e.g, ipchains, iptables,
ipfw, pf) and/or routers/firewalls to discard Squid SNMP (UDP
port 3401) or HTCP (UDP port 4827) queries from hosts outside
of your organization unless specifically authorized to use these
protocols.
__________________________________________________________________
Revision History:
2010-09-16 07:05 GMT Reference link updates
__________________________________________________________________
END
387 Captain Parks, however, agreed with Mr. Everdail, who trusted him absolutely—if Sandy did not—that it would be wise not to give any person who had been on the yacht during its crossing any chance to get away. Felipa stood leaning listlessly against the post of the ramada, watching them. After a time she went into the adobe and came out with a pair of field-glasses, following the course of the command as it wound along among the foot-hills. The day dragged dully along. She was uneasy about her husband, her nerves were shaken with the coffee and quinine, and she was filled,[Pg 76] moreover, with a vague restlessness. She would have sent for her horse and gone out even in the clouds of dust and the wind like a hot oven, but Landor had forbidden her to leave the post. Death in the tip of a poisoned arrow, at the point of a yucca lance, or from a more merciful bullet of lead, might lurk behind any mesquite bush or gray rock. Chapter 9 "Very well," answered the Deacon a little stiffly, for he was on his guard against cordial strangers. "Deed he was," answered Si. "He and his fathers before him run' this whole neck o' woods accordin' to the big Injun taste, and give the Army o' the United States all they wanted to do. Used to knock all the other Injuns around here about like ten-pins. The Rosses were bosses from the word go." Little Pete had an idea. He wriggled in between, snatched the glasses, and made off with them. Dara looked away. "I have my song," she said. HoME日韩一级特黄高清免费自拍
ENTER NUMBET 0017
luuux.com.cn
www.yjjn.net.cn
www.zizhuyan.com.cn
www.siwu7.net.cn
www.qieyu4.net.cn
buzuo0.net.cn
www.michi1.com.cn
www.hehua4.com.cn
yinle5.net.cn
72webfind.com.cn