Squid ACLs May Be Confusing When Empty Lists are Declared
|
|
SecurityTracker Alert ID: 1012649
|
|
SecurityTracker URL: http://securitytracker.com/id?1012649
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 22 2004
|
Impact: Not specified
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.5 and prior versions
|
Description: A security issue was reported in the Squid proxy caching server. An administrator may be confused about the meaning of access controls in certain cases.
If any empty access control lists are declared, the system may implement an access control configuration that the administrator does
not expect.
For example, the following lines will be parsed as "http_access allow somewhere":
acl something src "/path/to/empty_file.txt"
http_access allow something somewhere
The vendor has classified this as having "minor security" severity.
|
Impact: An administrator may be confused about the meaning of the implemented access controls when empty lists are defined.
|
Solution: A patch is available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch
|
Vendor URL: www.squid-cache.org/bugs/show_bug.cgi?id=1166 (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 21 Dec 2004 23:11:53 -0500
Subject: http://www.squid-cache.org/bugs/show_bug.cgi?id=1166
|
> synopsis The meaning of the access controls becomes somewhat confusing if
> any of the referenced acls is declared empty, without any members.
> severity Minor Security
> versions Squid-2.5 and earlier
A patch is available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch
|
|
