Gentoo Archives: gentoo-dev

From: "Bruce A. Locke" <blocke@××××××.org>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Security Advisory Template Draft
Date: Mon, 30 Jul 2001 14:18:46
Message-Id: 20010730162101.124d5ed1.blocke@shivan.org
1 Hello... The following is a quick example of a possible security advisory
2 for when we get a security team up and running. I suppose I should check
3 into what creation tools are being used for documentation by the rest of
4 gentoo and write a template in that format so we can generate a text
5 document suitable for bugtraq and automatically generate a webpage for our
6 site.
7
8 I'd like to ask anyone with sysadmin experience to let me know if
9 something is missing or could possibly be confusing to let me know. Oh,
10 and if anyone has some tasteful ASCII line drawing skill, etc please help
11 me spruce it up and make it look more professional.
12
13 Thanks :)
14
15
16 Subject: Gentoo Advisory: squid
17
18 ------------------------------
19 Gentoo Linux Security Advisory
20 ------------------------------
21
22 Gentoo Linux is a free x86-based community developed Linux distribution
23 with an advanced package management system (called Portage). Since it may
24
25 be possible for users to use different versions of the same package, it is
26
27 important that users carefully read this announcement to assess the impact
28 of the problem on their systems and choose a workaround or solution that
29 matches their situation.
30
31 Packages: net-www/squid (all prior to 2.3.4s-r4)
32 Date: July 30, 2001
33 Status: Resolved
34 Author: Bruce A. Locke (blocke@g.o)
35
36 Description:
37
38 Squid has a serious security flaw which may allow access to an internal
39 network and local services if Squid is configured for http_accel while
40 http_accel_with_proxy is set to "off".
41
42 Impact:
43
44 May allow unauthorized access to internal networks and may be used as
45 a way to get around IP based security rules, etc.
46
47 Solution:
48
49 All users are recommended to upgrade to the latest version available
50 in portage (2.3.4s-r4). Those unable to upgrade to this version can
51 disable http_accel mode in Squid's configuration to disable the affected
52 parts of Squid.
53
54 Recommended Procedure:
55
56 - su into root
57 - merge new version of squid:
58
59 cd /usr/portage/net-www/squid
60 emerge squid-2.3.4s-r4.ebuild (or newer version)
61
62 - restart the squid service:
63
64 /etc/rc.d/init.d/squid stop
65 /etc/rc.d/init.d/squid start
66
67 - unmerge old version (package version may be different):
68
69 ebuild /var/db/pkg/net-www/squid/squid-2.3.4s-r3.ebuild unmerge
70
71
72 ---------------------------------------------------------------------
73 Bruce A. Locke
74 blocke@××××××.org