Affected versions: Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version: Squid 2.6.STABLE17;
November 28 Squid-2 snapshot
November 28 Squid-3 snapshot
Author: Adrian Chadd
Thanks: Wikimedia Foundation
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
__________________________________________________________________
to warrant concern.
I contacted Microsoft and someone named Tony informed me that it's a
bug, not a security vulnerability, whatever that means.
-- Tim Starling
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tim Starling discovered that LibThai did not correctly handle long strings.
A remote attacker could use specially-formed strings to execute arbitrary
code with the user's privileges.
Updated packages for Ubuntu 8.04 LTS:
case of the user not having correct permissions, they will now be redirected
to Special:BadTitle.
CVE-2011-4361
Tim Starling discovered that action=ajax requests were dispatched to the
relevant function without any read permission checks being done. This could
have led to data leakage on private wikis.
For the oldstable distribution (lenny), these problems have been fixed in
version 1:1.12.0-2lenny9.
In general, a standard system update will make all the necessary changes.
Details follow:
Adrian Pastor and Tim Starling discovered that the CUPS web interface
incorrectly protected against cross-site request forgery (CSRF) attacks. If
an authenticated user were tricked into visiting a malicious website while
logged into CUPS, a remote attacker could modify the CUPS configuration and
possibly steal confidential data. (CVE-2010-0540)
Problem Description:
Multiple vulnerabilities has been found and corrected in libthai:
Tim Starling discovered that libthai, a set of Thai language support
routines, is vulnerable of integer/heap overflow. This vulnerability
could allow an attacker to run arbitrary code by sending a very long
string (CVE-2009-4012).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tim Starling discovered that LibThai did not correctly handle long strings.
A remote attacker could use specially-formed strings to execute arbitrary
code with the user's privileges.
Updated packages for Ubuntu 8.04 LTS:
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: yes
CVE ID : CVE-2011-2770
Tim Starling discovered that the Debian-native CGI wrapper for man2html,
a program to convert UNIX man pages to HTML, is not properly escaping
user-supplied input when displaying various error messages. A remote
attacker can exploit this flaw to conduct cross-site scripting (XSS)
attacks.
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2009-4012
Tim Starling discovered that libthai, a set of Thai language support routines,
is vulnerable of integer/heap overflow.
This vulnerability could allow an attacker to run arbitrary code by sending a very
long string.
1 net-proxy/squid < 2.6.17 >= 2.6.17
Description
===========
The Wikimedia Foundation reported a memory leak vulnerability when
performing cache updates.
Impact
======
