Overview
The Squid web proxy cache may fail to handle empty Access Control Lists (ACLs) in the intended manner.
Description
Squid functions as a web proxy and cache application for a number of protocols. However, Squid Access Control List (ACL) routines may not parse an empty list as intended. An empty list may be interpreted as a nonexistent list rather than a list containing no members. This may or may not be the intended behavior. |
Impact
Unintended access may be granted to all members instead of the intended result of access being denied to all members. |
Solution
Apply an update This flaw has been patched in Squid 2.5.STABLE8. More details are available in the Squid Bugzilla bug #1166. |
Team Squid recommends: |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:ND/RL:ND/RC:ND |
| Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- www.squid-cache.org/bugs/show_bug.cgi?id=1166
- www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls
- www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch
- http://www.debian.org/security/2005/dsa-667
- http://secunia.com/advisories/14157/
- http://secunia.com/advisories/14343/
Acknowledgements
Thanks to Team Squid for reporting this vulnerability.
This document was written by Ken MacInnis.
Other Information
| CVE IDs: | CVE-2005-0194 |
| Severity Metric: | 0.27 |
| Date Public: | 2004-12-21 |
| Date First Published: | 2005-02-21 |
| Date Last Updated: | 2005-02-22 20:21 UTC |
| Document Revision: | 8 |