From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=DATE_IN_PAST_12_24,DMARC_NONE, INVALID_DATE,MAILING_LIST_MULTI autolearn=no autolearn_force=no version=4.0.0 Received: from tesla.newpaltz.edu ([137.140.1.102]) by cvs.gentoo.org with esmtp (Exim 3.30 #1) id 15RJV0-00034V-00 for gentoo-dev@gentoo.org; Mon, 30 Jul 2001 14:18:46 -0600 Received: from kodiak.chronospace.org (res63-03.resnet.newpaltz.edu [137.140.63.3]) by tesla.newpaltz.edu (8.9.3/8.9.3) with SMTP id QAA18347 for ; Mon, 30 Jul 2001 16:18:50 -0400 (EDT) From: "Bruce A. Locke" To: gentoo-dev@gentoo.org Message-Id: <20010730162101.124d5ed1.blocke@shivan.org> X-Mailer: Sylpheed version 0.5.0 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [gentoo-dev] Security Advisory Template Draft Sender: gentoo-dev-admin@cvs.gentoo.org Errors-To: gentoo-dev-admin@cvs.gentoo.org X-BeenThere: gentoo-dev@cvs.gentoo.org X-Mailman-Version: 2.0 Precedence: bulk Reply-To: gentoo-dev@cvs.gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux development list List-Unsubscribe: , List-Archive: Date: Mon Jul 30 14:19:01 2001 X-Original-Date: Mon, 30 Jul 2001 16:21:01 -0500 X-Archives-Salt: fd348ae1-cab3-4a00-a966-e5ccc3d61fa8 X-Archives-Hash: 0e083c1d20ac0438933e0936b03b2154 Hello... The following is a quick example of a possible security advisory for when we get a security team up and running. I suppose I should check into what creation tools are being used for documentation by the rest of gentoo and write a template in that format so we can generate a text document suitable for bugtraq and automatically generate a webpage for our site. I'd like to ask anyone with sysadmin experience to let me know if something is missing or could possibly be confusing to let me know. Oh, and if anyone has some tasteful ASCII line drawing skill, etc please help me spruce it up and make it look more professional. Thanks :) Subject: Gentoo Advisory: squid ------------------------------ Gentoo Linux Security Advisory ------------------------------ Gentoo Linux is a free x86-based community developed Linux distribution with an advanced package management system (called Portage). Since it may be possible for users to use different versions of the same package, it is important that users carefully read this announcement to assess the impact of the problem on their systems and choose a workaround or solution that matches their situation. Packages: net-www/squid (all prior to 2.3.4s-r4) Date: July 30, 2001 Status: Resolved Author: Bruce A. Locke (blocke@gentoo.org) Description: Squid has a serious security flaw which may allow access to an internal network and local services if Squid is configured for http_accel while http_accel_with_proxy is set to "off". Impact: May allow unauthorized access to internal networks and may be used as a way to get around IP based security rules, etc. Solution: All users are recommended to upgrade to the latest version available in portage (2.3.4s-r4). Those unable to upgrade to this version can disable http_accel mode in Squid's configuration to disable the affected parts of Squid. Recommended Procedure: - su into root - merge new version of squid: cd /usr/portage/net-www/squid emerge squid-2.3.4s-r4.ebuild (or newer version) - restart the squid service: /etc/rc.d/init.d/squid stop /etc/rc.d/init.d/squid start - unmerge old version (package version may be different): ebuild /var/db/pkg/net-www/squid/squid-2.3.4s-r3.ebuild unmerge --------------------------------------------------------------------- Bruce A. Locke blocke@shivan.org