Debian Bug report logs -
#521052
CVE-2009-0801: HTTP Host Header Incorrect Relay Behavior Vulnerability
Reported by: Raphael Geissert <atomo64@gmail.com>
Date: Tue, 24 Mar 2009 15:15:01 UTC
Severity: important
Tags: security
Found in version squid3/3.0.PRE5-5
Fixed in version squid3/3.3.3-1
Done: Luigi Gangitano <luigi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#521052; Package squid3.
(Tue, 24 Mar 2009 15:15:03 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: squid3
Version: 3.0.PRE5-5
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for squid.
CVE-2009-0801[0]:
| Squid, when transparent interception mode is enabled, uses the HTTP
| Host header to determine the remote endpoint, which allows remote
| attackers to bypass access controls for Flash, Java, Silverlight, and
| probably other technologies, and possibly communicate with restricted
| intranet sites, via a crafted web page that causes a client to send
| HTTP requests with a modified Host header.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801
http://security-tracker.debian.net/tracker/CVE-2009-0801
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#521052; Package squid3.
(Fri, 15 Jan 2010 00:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list.
(Fri, 15 Jan 2010 00:36:06 GMT) (full text, mbox, link).
Message #8 received at 521052@bugs.debian.org (full text, mbox, reply):
This bug has not been publicly addressed upstream and has been marked as 'minor' by several other distribution's Security Teams.
Workarounds for admins and users are listed in the CERT KB
http://www.kb.cert.org/vuls/id/435052
Regards,
L
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#521052; Package squid3.
(Sat, 15 Oct 2011 06:42:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Amos Jeffries <squid3@treenet.co.nz>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Sat, 15 Oct 2011 06:42:23 GMT) (full text, mbox, link).
Message #13 received at 521052@bugs.debian.org (full text, mbox, reply):
A partial fix for this problem is now available at
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-host-verify.patch
It does not include the destination IP pinning available in the 3.2
series fix it was based on. So is not a full fix. But does include the
IP verification checks to raise the visibility when attacks are made.
It has been tested and works well on Linux with iptables. Although some
users who are currenty taking advantage of Squid ignoring NAT errors
will face 409 Conflict errors when validation is done on the IP.
Amos
Added tag(s) pending.
Request was from Anibal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(Mon, 22 Apr 2013 08:06:05 GMT) (full text, mbox, link).
Reply sent
to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(Mon, 22 Apr 2013 21:03:11 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer.
(Mon, 22 Apr 2013 21:03:11 GMT) (full text, mbox, link).
Message #20 received at 521052-close@bugs.debian.org (full text, mbox, reply):
Source: squid3
Source-Version: 3.3.3-1
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 521052@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 21 Apr 2013 23:51:11 +0200
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: source all i386
Version: 3.3.3-1
Distribution: unstable
Urgency: low
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Full featured Web Proxy cache (HTTP proxy)
squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 521052 644280 656304 669148 694633 701799 702540 703954
Changes:
squid3 (3.3.3-1) unstable; urgency=low
.
* New upstream release (Closes: #694633, #701799, #702540)
- Removed upstream patches
+ debian/patches/20-ipv6-fix
+ debian/patches/30-CVE-2012-5643-CVE-2013-0189.patch
+ debian/patches/fix-701123-regression-in-cachemgr.patch
- Includes upstream fix for CVE-2009-0801 (Closes: #521052)
- Includes upstream fix for rejection of benign request containing variants
of double CR (Closes: #669148)
.
* debian/control
- Added dependency on libecap2-dev
- Added squid-purge package
.
* debian/source
- Enabled ECAP support
- Fixed configure invocation to match new syntax
- Removed unneeded rename of helper man pages
- Fixed list of helpers to build, adding fake agents (Closes: #644280)
and negotiate wrapper (Closes: #656304)
.
* debian/watch
- Updated for 3.3
.
* debian/squid3.logrotate
- Added check for existing binary in logrotate script (Closes: #703954)
Checksums-Sha1:
fe6f750473d9338dc2946c7d3d5bc13380d1800a 1475 squid3_3.3.3-1.dsc
40c2a6bdf4167d416de800ab1ded801d4142fe47 4191938 squid3_3.3.3.orig.tar.gz
be5c6fcbbef07f010deceb8ec93f5f975b5b4f50 20131 squid3_3.3.3-1.debian.tar.gz
c444a98f003ec14cbd409a041f094fda58b0be38 245408 squid3-common_3.3.3-1_all.deb
1a564b3221621c3b19e269df12afde0368c037d7 2425254 squid3_3.3.3-1_i386.deb
155ca963f3a1b6583de3e15f69a5f7ae4ca7a994 13518772 squid3-dbg_3.3.3-1_i386.deb
263bcc758f0eb06004c6a0bd3207fe7afa5e8e11 126432 squidclient_3.3.3-1_i386.deb
d02774081bf43e51f8aa81cf09358554c948bd46 129592 squid-cgi_3.3.3-1_i386.deb
c6a92711c87f8381bf3ac958fc6956f0beff3cb8 118910 squid-purge_3.3.3-1_i386.deb
Checksums-Sha256:
d0705922bb734f8a66b86e859e4bb1291e277c1894922f3e57cfeb60516c1e7b 1475 squid3_3.3.3-1.dsc
2505547a0ff5b24b9f3924a7e4ebcbfd4ce41a160b8d841331edf711c2912138 4191938 squid3_3.3.3.orig.tar.gz
6a67e847f19ee5c5084685432eb4741ec2a234d422bff0cde1d71da6fedbcd77 20131 squid3_3.3.3-1.debian.tar.gz
cd0e76f6ca35d3af7d2e116bb2e0385e5bf87bd2bcc71fcce1717c2a6b17843d 245408 squid3-common_3.3.3-1_all.deb
27402e2c23844176f9c0da0e0982b326dc8ed3fef7035c9d617b8f354c90c10d 2425254 squid3_3.3.3-1_i386.deb
3ca668f848c47516742e0fbdc2010263300c07cb398b34e9c2710a1c5ceae05e 13518772 squid3-dbg_3.3.3-1_i386.deb
9d3dc7479e3362764831f2d5624acd1abdcf49c3f169fb60900c8cf657dbba8b 126432 squidclient_3.3.3-1_i386.deb
3cb03af506e6a39b5d10483fcbb91e0b79e19a2d7dc9d2741405a4a1f800edd8 129592 squid-cgi_3.3.3-1_i386.deb
8dd0d46365b6239c39052de3133ea9da3ac7f7efce2c0ef3950c2b8f6acd7a03 118910 squid-purge_3.3.3-1_i386.deb
Files:
d4a4910d16a3b8e878712102d1ac7350 1475 web optional squid3_3.3.3-1.dsc
357eec4f49225223b5b705794da4eb26 4191938 web optional squid3_3.3.3.orig.tar.gz
b8cde55fbba8b2f047fd0b05dfca17e3 20131 web optional squid3_3.3.3-1.debian.tar.gz
fa635b9ab57746f8b3ec94b00ab541e4 245408 web optional squid3-common_3.3.3-1_all.deb
5f5bc35efafb795b796a2c53fbaf5243 2425254 web optional squid3_3.3.3-1_i386.deb
a1781fd9679016da7ae2a19445bacb53 13518772 debug extra squid3-dbg_3.3.3-1_i386.deb
0f251337e21c8cb0b0723f5f70df4bd2 126432 web optional squidclient_3.3.3-1_i386.deb
079485e7696149f326bcd1841a714f12 129592 web optional squid-cgi_3.3.3-1_i386.deb
343782a7f5dbca74688e6524c9732b05 118910 web optional squid-purge_3.3.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
iEYEARECAAYFAlF0ZIUACgkQ8ZumGJJMDCaDTACeIsJqwX4yM6xdUIGYlDrEUpxU
CSYAn1Sy/UPccvclzTdGktdzqKRNtLfm
=G2Xg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 21 May 2013 07:27:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:32:19 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon