diff options
| author | nectar <nectar@FreeBSD.org> | 2005-01-14 04:42:56 +0800 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2005-01-14 04:42:56 +0800 |
| commit | a6902b316278ca90c424a6110c9b30a5357d5fc4 (patch) | |
| tree | f07b362c8867a6b41ff2fe7c62ec63c8f660009f /security | |
| parent | 46e7a6af9996473d7cc3d76e8a16f8b03f2b881d (diff) | |
| download | freebsd-ports-gnome-a6902b316278ca90c424a6110c9b30a5357d5fc4.tar.gz freebsd-ports-gnome-a6902b316278ca90c424a6110c9b30a5357d5fc4.tar.zst freebsd-ports-gnome-a6902b316278ca90c424a6110c9b30a5357d5fc4.zip | |
For the latest three Squid issues, add references to the Squid bug
tracking database. Also, rework the description of the empty ACL issue.
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index a1d0e7a79479..24a29cecd223 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -142,6 +142,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service</url> + <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1190</url> </references> <dates> <discovery>2005-01-07</discovery> @@ -174,10 +175,12 @@ http_access deny Gopher</pre> </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing</url> + <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1189</url> </references> <dates> <discovery>2005-01-11</discovery> <entry>2005-01-12</entry> + <modified>2005-01-13</modified> </dates> </vuln> @@ -922,23 +925,28 @@ http_access deny Gopher</pre> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>The squid-2.5 patches pages notes:</p> - <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls"> - <p>The meaning of the access controls becomes somewhat - confusing if any of the referenced acls is declared empty, - without any members.</p> - <p>[Administrators should] pay attention to warnings from - "squid -k parse" and do not use configurations where there - are warnings about access controls in production.</p> + <p>Applying an empty ACL list results in unexpected behavior: + anything will match an empty ACL list. For example,</p> + <blockquote cite="http://www.squid-cache.org/bugs/show_bug.cgi?id=1166"> + <p>The meaning of the configuration gets very confusing when + we encounter empty ACLs such as</p> + <p><code>acl something src "/path/to/empty_file.txt"<br /> + http_access allow something somewhere</code></p> + <p>gets parsed (with warnings) as</p> + <p><code>http_access allow somwhere</code></p> + <p>And similarily if you are using proxy_auth acls without + having any auth schemes defined.</p> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url> + <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1166</url> </references> <dates> <discovery>2004-12-21</discovery> <entry>2004-12-23</entry> + <modified>2005-01-13</modified> </dates> </vuln> |