[gentoo-dev] Security Advisory Template Draft

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] Security Advisory Template Draft
@ 2001-07-30 14:19 Bruce A. Locke
  0 siblings, 0 replies; only message in thread
From: Bruce A. Locke @ 2001-07-30 14:19 UTC (permalink / raw
  To: gentoo-dev

Hello... The following is a quick example of a possible security advisory
for when we get a security team up and running.  I suppose I should check
into what creation tools are being used for documentation by the rest of
gentoo and write a template in that format so we can generate a text
document suitable for bugtraq and automatically generate a webpage for our
site.

I'd like to ask anyone with sysadmin experience to let me know if
something is missing or could possibly be confusing to let me know.  Oh,
and if anyone has some tasteful ASCII line drawing skill, etc please help
me spruce it up and make it look more professional.

Thanks :)

Subject: Gentoo Advisory: squid

------------------------------
Gentoo Linux Security Advisory
------------------------------

Gentoo Linux is a free x86-based community developed Linux distribution 
with an advanced package management system (called Portage).  Since it may

be possible for users to use different versions of the same package, it is

important that users carefully read this announcement to assess the impact
of the problem on their systems and choose a workaround or solution that 
matches their situation.

Packages:   net-www/squid (all prior to 2.3.4s-r4)
Date:	    July 30, 2001
Status:	    Resolved
Author:	    Bruce A. Locke (blocke@gentoo.org)

Description:

Squid has a serious security flaw which may allow access to an internal
network and local services if Squid is configured for http_accel while
http_accel_with_proxy is set to "off".

Impact:

May allow unauthorized access to internal networks and may be used as
a way to get around IP based security rules, etc.

Solution:

All users are recommended to upgrade to the latest version available
in portage (2.3.4s-r4).  Those unable to upgrade to this version can
disable http_accel mode in Squid's configuration to disable the affected
parts of Squid.

Recommended Procedure:

- su into root
- merge new version of squid:

cd /usr/portage/net-www/squid
emerge squid-2.3.4s-r4.ebuild  (or newer version)

- restart the squid service:

/etc/rc.d/init.d/squid stop
/etc/rc.d/init.d/squid start

- unmerge old version (package version may be different):

ebuild /var/db/pkg/net-www/squid/squid-2.3.4s-r3.ebuild unmerge

---------------------------------------------------------------------
Bruce A. Locke
blocke@shivan.org

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2001-07-30 20:18 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-07-30 14:19 [gentoo-dev] Security Advisory Template Draft Bruce A. Locke

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox