CVE-2005-1345
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2010-08-21 00:28:30
NMCOP    

[原文]Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator.


[CNNVD]Squid 未明漏洞(CNNVD-200505-577)

        Squid 2.5.STABLE9及更早版本当其识别出在http_access配置中缺失或有无效ACL时未触发致命错误,这可能导致管理员对其的限制比预期要低。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:squid:squid:2.5.stable5
cpe:/a:squid:squid:2.5.stable9
cpe:/a:squid:squid:2.5.stable2
cpe:/a:squid:squid:2.5.stable1
cpe:/a:squid:squid:2.5.stable3
cpe:/a:squid:squid:2.5.stable6
cpe:/a:squid:squid:2.5.stable4
cpe:/a:squid:squid:2.5.stable8
cpe:/a:squid:squid:2.5.stable7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10513Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, wh...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1345
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1345
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-577
(官方数据源) CNNVD

- 其它链接及资源

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error
(PATCH)  CONFIRM  http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error
http://www.squid-cache.org/bugs/show_bug.cgi?id=1255
(UNKNOWN)  CONFIRM  http://www.squid-cache.org/bugs/show_bug.cgi?id=1255
http://www.redhat.com/support/errata/RHSA-2005-415.html
(UNKNOWN)  REDHAT  RHSA-2005:415
http://www.debian.org/security/2005/dsa-721
(UNKNOWN)  DEBIAN  DSA-721
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000948
(UNKNOWN)  CONECTIVA  CLA-2005:948
http://fedoranews.org/updates/FEDORA--.shtml
(UNKNOWN)  FEDORA  FLSA-2006:152809

- 漏洞信息

Squid 未明漏洞
高危 未知
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Squid 2.5.STABLE9及更早版本当其识别出在http_access配置中缺失或有无效ACL时未触发致命错误,这可能导致管理员对其的限制比预期要低。

- 公告与补丁

        暂无数据

- 漏洞信息 (F39096)

Debian Linux Security Advisory 721-1 (PacketStormID:F39096)
2005-08-06 00:00:00
Debian  security.debian.org
advisory
linux,debian
CVE-2005-1345
[点击下载]

Debian Security Advisory DSA 721-1 - Michael Bhola discovered a bug in Squid, the popular WWW proxy cache. Squid does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 721-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
May 6th, 2005                           http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : squid
Vulnerability  : design flaw
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1345
Debian Bug     : 307132

Michael Bhola discovered a bug in Squid, the popular WWW proxy cache.
Squid does not trigger a fatal error when it identifies missing or
invalid ACLs in the http_access configuration, which could lead to
less restrictive ACLs than intended by the administrator.

For the stable distribution (woody) this problem has been fixed in
version 2.4.6-2woody8.

For the unstable distribution (sid) this problem has been fixed in
version 2.5.9-7.

We recommend that you upgrade your squid packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8.dsc
      Size/MD5 checksum:      612 53feac84e4e4ecc33c49da72b19d03ce
    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8.diff.gz
      Size/MD5 checksum:   238447 fdca973b0098bec555c54d50fd4d825f
    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz
      Size/MD5 checksum:  1081920 59ce2c58da189626d77e27b9702ca228

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_alpha.deb
      Size/MD5 checksum:   815672 71156933524c446b2056c2d43b83c255
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_alpha.deb
      Size/MD5 checksum:    75684 01282867162d783c29e8c31048d1c7d1
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_alpha.deb
      Size/MD5 checksum:    60434 9e1b6fc7dda0eab2461980ba3c601337

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_arm.deb
      Size/MD5 checksum:   725990 be504dba20c3857d9257ca79db64f28b
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_arm.deb
      Size/MD5 checksum:    73444 3157fba853dcad244e53e045be3812b4
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_arm.deb
      Size/MD5 checksum:    58776 5d0a6e83a8fdb1b3f02d4d76bdb3e76c

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_i386.deb
      Size/MD5 checksum:   685178 636bc74eb7575c22b391a9d744085e52
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_i386.deb
      Size/MD5 checksum:    73190 a53ef2e81bbe8a908d837e456af60636
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_i386.deb
      Size/MD5 checksum:    58350 16d63016b39bdb71cc2569a860ff9300

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_ia64.deb
      Size/MD5 checksum:   953944 e1f1fc3ca69d5a8a079e3514982fb16c
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_ia64.deb
      Size/MD5 checksum:    79512 92baefa027ec7e313f2ff69eeadcd31a
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_ia64.deb
      Size/MD5 checksum:    63100 c22baca32d79b783bd4df4f742353973

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_hppa.deb
      Size/MD5 checksum:   779586 d07eae05a882a32d3809a01ba1a07d3f
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_hppa.deb
      Size/MD5 checksum:    74892 566815610e5e5d43f3807a12571ec277
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_hppa.deb
      Size/MD5 checksum:    59920 03ae17bf5ad0c51c4bac6533d1b782f0

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_m68k.deb
      Size/MD5 checksum:   666818 cedebbb1487b2ff2dc6d2ee4096631c6
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_m68k.deb
      Size/MD5 checksum:    72794 cee01a187d3afe5d0866cdc9c29bf1fa
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_m68k.deb
      Size/MD5 checksum:    57998 b35f7217f592535478d89dec7c2372f8

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_mips.deb
      Size/MD5 checksum:   765442 f8d04a6d87db1afaabdc944b4b1ab4cb
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_mips.deb
      Size/MD5 checksum:    74428 5cdf921497904cfaf841270eacae6f74
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_mips.deb
      Size/MD5 checksum:    59076 6a4530a52e84ca6765bb4c18bc521d84

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_mipsel.deb
      Size/MD5 checksum:   765628 629ce4ef86a0e32e78107f0eca97afd7
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_mipsel.deb
      Size/MD5 checksum:    74492 c95fb63d8dc8295f422bb1b360ebd793
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_mipsel.deb
      Size/MD5 checksum:    59144 d3a40e25907c956669b97d8c6a43507e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_powerpc.deb
      Size/MD5 checksum:   722882 dd8a603159d5398f9565e9f70eeeced6
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_powerpc.deb
      Size/MD5 checksum:    73438 0f1ea718f0375f6fcde20840c2dc90fb
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_powerpc.deb
      Size/MD5 checksum:    58664 0deffdff3cacef7e3682aa082f855951

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_s390.deb
      Size/MD5 checksum:   712120 3bc34ba3065fc68242034907e6241d31
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_s390.deb
      Size/MD5 checksum:    73780 58f9fecad5b06ce515a21586f1ac9b54
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_s390.deb
      Size/MD5 checksum:    59222 c176c8ca8e740324e57ac23a8bfbe180

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody8_sparc.deb
      Size/MD5 checksum:   724896 a89f49f6f8beba1b39c547f00cfc1131
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody8_sparc.deb
      Size/MD5 checksum:    76054 066f1682352684e84ae84009a24ddbd7
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody8_sparc.deb
      Size/MD5 checksum:    61096 37868ef3bd01101ab914ff39c1ab0766


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCe2VoW5ql+IAeqTIRAp7DAKC60LWLMDnip20ScqEWS8jzyF3eTwCffWE3
5EChZfS6q3fdbPhJ7LDCHgA=
=iCMt
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F39095)

Ubuntu Security Notice 122-1 (PacketStormID:F39095)
2005-08-06 00:00:00
Ubuntu  ubuntu.com
advisory
linux,ubuntu
CVE-2005-1345
[点击下载]

Ubuntu Security Notice USN-122-1 - Michael Bhola discovered that errors in the http_access configuration, in particular missing or invalid ACLs, did not cause a fatal error in Squid. This could lead to wider access permissions than intended by the administrator.

===========================================================
Ubuntu Security Notice USN-122-1	       May 06, 2005
squid vulnerability
CAN-2005-1345
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

squid

The problem can be corrected by upgrading the affected package to
version 2.5.5-6ubuntu0.8 (for Ubuntu 4.10), or 2.5.8-3ubuntu1.1 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Michael Bhola discovered that errors in the http_access configuration,
in particular missing or invalid ACLs, did not cause a fatal error.
This could lead to wider access permissions than intended by the
administrator.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.8.diff.gz
      Size/MD5:   276757 7b26eb2a184679022f464b63e291d19b
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.8.dsc
      Size/MD5:      652 4da37d1c615d54797cc2028d849105ab
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5.orig.tar.gz
      Size/MD5:  1363967 6c7f3175b5fa04ab5ee68ce752e7b500

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.5-6ubuntu0.8_all.deb
      Size/MD5:   190936 91e6cd46663089e064b6fb42ace96ac9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.8_amd64.deb
      Size/MD5:    90378 e9015fbc3c1254c6c2f5bc8ac56efce2
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.8_amd64.deb
      Size/MD5:   813128 634d42a1725cfc923e35ea8119ffe3d0
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.8_amd64.deb
      Size/MD5:    71736 fbae0529e868d4134d0ee115ff6638b9

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.8_i386.deb
      Size/MD5:    88894 85ec877e990f28574de50c2c63e5f4a4
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.8_i386.deb
      Size/MD5:   729090 baed31142f50ab158b623f529611f859
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.8_i386.deb
      Size/MD5:    70454 3231efcaf0b8df6e613f25ec5b9346ab

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.8_powerpc.deb
      Size/MD5:    89812 c73f36d8e893f983bf232356706dcc76
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.8_powerpc.deb
      Size/MD5:   796794 1db8a06b33cac36bbc3a629f8a7a3c80
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.8_powerpc.deb
      Size/MD5:    71226 7af865a03317a5a931c4809d9707d3d4

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.1.diff.gz
      Size/MD5:   298580 d806b5e84ae924135a6a34b44c1133a5
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.1.dsc
      Size/MD5:      663 a38a9f433f5823817c26026ce84560c5
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8.orig.tar.gz
      Size/MD5:  1383756 bbc1e77bd175462732fe5f0d822fd160

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.8-3ubuntu1.1_all.deb
      Size/MD5:   194406 304fe5aae35b6afd0979a9e44637e176

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.1_amd64.deb
      Size/MD5:    92780 4b4f9585274c29628aa225ad840cec48
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.1_amd64.deb
      Size/MD5:   821112 c6a2a4efe7b9fa6bc14958034368fca0
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.1_amd64.deb
      Size/MD5:    75330 6d94993c5922a51d97b7756e025e81bf

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.1_i386.deb
      Size/MD5:    91166 6e36aa5eed03be943c4f1d5ecb4b54dc
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.1_i386.deb
      Size/MD5:   739882 1c7b570053e84764736c4f4734efa197
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.1_i386.deb
      Size/MD5:    73944 7ad8129917311c54a31e6179a152217f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.1_powerpc.deb
      Size/MD5:    92264 e034c75cf11777603c273f57566d1eaf
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.1_powerpc.deb
      Size/MD5:   809094 c50c0f96eca1fcb05232147749a3336a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.1_powerpc.deb
      Size/MD5:    74794 a05d17bdd0d44a4bcdcbf8e61a1bddda
    

- 漏洞信息

15912
Squid Malformed ACL http_access Restriction Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站