1 |
Hello... The following is a quick example of a possible security advisory |
2 |
for when we get a security team up and running. I suppose I should check |
3 |
into what creation tools are being used for documentation by the rest of |
4 |
gentoo and write a template in that format so we can generate a text |
5 |
document suitable for bugtraq and automatically generate a webpage for our |
6 |
site. |
7 |
|
8 |
I'd like to ask anyone with sysadmin experience to let me know if |
9 |
something is missing or could possibly be confusing to let me know. Oh, |
10 |
and if anyone has some tasteful ASCII line drawing skill, etc please help |
11 |
me spruce it up and make it look more professional. |
12 |
|
13 |
Thanks :) |
14 |
|
15 |
|
16 |
Subject: Gentoo Advisory: squid |
17 |
|
18 |
------------------------------ |
19 |
Gentoo Linux Security Advisory |
20 |
------------------------------ |
21 |
|
22 |
Gentoo Linux is a free x86-based community developed Linux distribution |
23 |
with an advanced package management system (called Portage). Since it may |
24 |
|
25 |
be possible for users to use different versions of the same package, it is |
26 |
|
27 |
important that users carefully read this announcement to assess the impact |
28 |
of the problem on their systems and choose a workaround or solution that |
29 |
matches their situation. |
30 |
|
31 |
Packages: net-www/squid (all prior to 2.3.4s-r4) |
32 |
Date: July 30, 2001 |
33 |
Status: Resolved |
34 |
Author: Bruce A. Locke (blocke@g.o) |
35 |
|
36 |
Description: |
37 |
|
38 |
Squid has a serious security flaw which may allow access to an internal |
39 |
network and local services if Squid is configured for http_accel while |
40 |
http_accel_with_proxy is set to "off". |
41 |
|
42 |
Impact: |
43 |
|
44 |
May allow unauthorized access to internal networks and may be used as |
45 |
a way to get around IP based security rules, etc. |
46 |
|
47 |
Solution: |
48 |
|
49 |
All users are recommended to upgrade to the latest version available |
50 |
in portage (2.3.4s-r4). Those unable to upgrade to this version can |
51 |
disable http_accel mode in Squid's configuration to disable the affected |
52 |
parts of Squid. |
53 |
|
54 |
Recommended Procedure: |
55 |
|
56 |
- su into root |
57 |
- merge new version of squid: |
58 |
|
59 |
cd /usr/portage/net-www/squid |
60 |
emerge squid-2.3.4s-r4.ebuild (or newer version) |
61 |
|
62 |
- restart the squid service: |
63 |
|
64 |
/etc/rc.d/init.d/squid stop |
65 |
/etc/rc.d/init.d/squid start |
66 |
|
67 |
- unmerge old version (package version may be different): |
68 |
|
69 |
ebuild /var/db/pkg/net-www/squid/squid-2.3.4s-r3.ebuild unmerge |
70 |
|
71 |
|
72 |
--------------------------------------------------------------------- |
73 |
Bruce A. Locke |
74 |
blocke@××××××.org |