首页 -> 安全研究
安全研究
安全漏洞
Squid HTCP支持选项无法动态调整漏洞
发布日期:2002-02-21
更新日期:2002-02-25
受影响系统:
National Science Foundation Squid Web Proxy 2.4STABLE3不受影响系统:
National Science Foundation Squid Web Proxy 2.4STABLE2
National Science Foundation Squid Web Proxy 2.4STABLE1
National Science Foundation Squid Web Proxy 2.4
National Science Foundation Squid Web Proxy 2.3
National Science Foundation Squid Web Proxy 2.2
National Science Foundation Squid Web Proxy 2.1
National Science Foundation Squid Web Proxy 2.0
National Science Foundation Squid Web Proxy 2.4STABLE4描述:
BUGTRAQ ID: 4150
CVE(CAN) ID: CVE-2002-0067
Squid是一个运行于Linux/Unix系统下的Web服务代理程序,它提供了对超文本缓冲协议的支持(Hyper Text Caching Protocol),HTCP在RFC2756中有定义,用于提供对缓存的管理。在大多数默认安装情况下,这个支持选项是关闭的,但在编译时指定‘--enable-htcp’选项则可以打开此缓冲功能的支持。
Squid实现上存在一个问题,使Squid的使用者无法在程序运行时配置HTCP支持选项的打开和关闭。
虽然在Squid的文档中说明了对HTCP的是否支持可以在Squid的配置文件中指定,然而实际情况是HTCP支持选项一旦被编译进Squid,对HTCP的支持就一直处于打开状态。这导致在Squid运行期间管理员无法控制此支持选项的打开或关闭状态,即使在squid.conf中设置了"htcp_port 0"。这可能导致攻击者绕过预期的访问限制。
<*来源:Jouko Pynnonen (jouko@solutions.fi)
Henrik Nordstrom (hno@squid-cache.org)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-02/0230.html
http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
https://www.redhat.com/support/errata/RHSA-2002-029.html
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016-1.php
http://www.trustix.net/errata/misc/2002/TSL-2002-0031-squid.asc.txt
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 如果Squid不需要HTCP支持,则编译的时候不要指定相关的选项。
* 如果有防火墙,对4827端口进行过滤,只允许可信主机访问。
厂商补丁:
Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2002:464)以及相应补丁:
CLA-2002:464:squid
链接:
补丁下载:
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/squid-2.3.5-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/squid-2.3.5-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/squid-2.3.5-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/squid-2.3.5-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/squid-2.3.5-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/squid-2.3.5-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/squid-2.4.1-4U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-templates-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-doc-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-auth-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/squid-2.3.5-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/squid-2.3.5-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/squid-2.3.5-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/squid-2.3.5-1U50_1cl.i386.rpm
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-02:12)以及相应补丁:
FreeBSD-SA-02:12:multiple security vulnerabilities in squid port
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
补丁下载:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/squid-2.4_8.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/squid-2.4_8.tgz
MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:016-1)以及相应补丁:
MDKSA-2002:016-1:squid
链接:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016-1.php3
补丁下载:
_______________________________________________________________________
Updated Packages:
Linux-Mandrake 7.1:
60bb70afa95f2b43727bc8c9794fb0f9 7.1/RPMS/squid-2.4.STABLE4-1.5mdk.i586.rpm
a46c4bf51883fcfee529de2812f55458 7.1/SRPMS/squid-2.4.STABLE4-1.5mdk.src.rpm
Linux-Mandrake 7.2:
0c3cfdf038650a8c85e703c8859df8d7 7.2/RPMS/squid-2.4.STABLE4-1.5mdk.i586.rpm
a46c4bf51883fcfee529de2812f55458 7.2/SRPMS/squid-2.4.STABLE4-1.5mdk.src.rpm
Mandrake Linux 8.0:
174eaf577cfde553ee0b8eb301792cba 8.0/RPMS/squid-2.4.STABLE4-1.6mdk.i586.rpm
e1d0df4fe930669e3ba12b90caefeca3 8.0/SRPMS/squid-2.4.STABLE4-1.6mdk.src.rpm
Mandrake Linux 8.0/ppc:
375ecbfec5947e9f47be3ada5084fc88 ppc/8.0/RPMS/squid-2.4.STABLE4-1.6mdk.ppc.rpm
e1d0df4fe930669e3ba12b90caefeca3 ppc/8.0/SRPMS/squid-2.4.STABLE4-1.6mdk.src.rpm
Corporate Server 1.0.1:
60bb70afa95f2b43727bc8c9794fb0f9 1.0.1/RPMS/squid-2.4.STABLE4-1.5mdk.i586.rpm
a46c4bf51883fcfee529de2812f55458 1.0.1/SRPMS/squid-2.4.STABLE4-1.5mdk.src.rpm
Single Network Firewall 7.2:
0c3cfdf038650a8c85e703c8859df8d7 snf7.2/RPMS/squid-2.4.STABLE4-1.5mdk.i586.rpm
a46c4bf51883fcfee529de2812f55458 snf7.2/SRPMS/squid-2.4.STABLE4-1.5mdk.src.rpm
________________________________________________________________________
上述升级软件可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2002:029-09)以及相应补丁:
RHSA-2002:029-09:New squid packages available
链接:https://www.redhat.com/support/errata/RHSA-2002-029.html
补丁下载:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/squid-2.4.STABLE3-1.6.2.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/squid-2.4.STABLE3-1.6.2.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/squid-2.4.STABLE3-1.6.2.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/squid-2.4.STABLE3-1.6.2.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/squid-2.4.STABLE3-1.7.0.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/squid-2.4.STABLE3-1.7.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/squid-2.4.STABLE3-1.7.0.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/squid-2.4.STABLE3-1.7.1.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/squid-2.4.STABLE3-1.7.1.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/squid-2.4.STABLE3-1.7.1.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/squid-2.4.STABLE3-1.7.1.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/squid-2.4.STABLE3-1.7.2.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/squid-2.4.STABLE3-1.7.2.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/squid-2.4.STABLE3-1.7.2.ia64.rpm
Trustix
-------
Trustix已经为此发布了一个安全公告(TSLSA-2002-0031)以及相应补丁:
TSLSA-2002-0031:squid-cron
链接:http://www.trustix.net/errata/misc/2002/TSL-2002-0031-squid.asc.txt
补丁下载:
http://www.trustix.net/pub/Trustix/updates/squid-2.4.STABLE4-1tr.i586.rpm
Squid
-----
squid已经为此发布了一个安全公告(SQUID-2002:1)以及相应补丁:
SQUID-2002:1:Security adisory regarding three issues in most Squid-2.x versions up to and including Squid-2.4.STABLE3
链接:http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
补丁下载:
已经在新版软件中修复了安全问题。
ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
http://www.squid-cache.org/Versions/v2/2.4/
浏览次数:3870
严重程度:0(网友投票)
绿盟科技给您安全的保障