Integrate vendor patches as published on <http://www.squid-cache.org/Versions/v2/2.5/bugs/>: - Sanity check usernames in squid_ldap_auth (squid bug #1187), classified as minor security issue by the vendor, see below for VuXML information - FQDN names truncated on compressed DNS responses (squid bug #1136) - Internal DNS memory leak on malformed responses (squid bug #1197) Proposed VuXML information, entry date left to be filled in: <vuln vid="7a921e9e-68b1-11d9-9e1e-c296ac722cb3"> <topic>squid -- no sanity check of usernames in squid_ldap_auth</topic> <affects> <package> <name>squid</name> <range><lt>2.5.7_7</lt> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>The LDAP authentication helper did not strip leading or trailing spaces from the login name. According to the squid patches page:</p> <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces"> <p>LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting.</p> <p>Workaround: Block logins with spaces</p> <pre> acl login_with_spaces proxy_auth_regex [:space:] http_access deny login_with_spaces </pre> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces</url> <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1187</url> </references> <dates> <discovery>2005-01-10</discovery> <entry>YYYY-MM-DD</entry> </dates> </vuln> Fix: Apply this patch:
State Changed From-To: open->closed Committed, thanks!