[1]redhat.com   [2]Home | [3]Products &
   Services | [4]Store | [5]Download | [6]Support    ________ Search
   [7][LINK] 
   [8]Product Support: Installation Support
   
         o [9]main o [10]hardware compatibility o [11]Linux tips, tricks
   & howtos
         o [12]manuals & guides o updates, fixes & errata
   
   
   
   
   Red Hat, Inc. Security Advisory
     _________________________________________________________________
   
   Package squid
     _________________________________________________________________
   
   Synopsis Potential misuse of squid cachemgr.cgi
     _________________________________________________________________
   
   Advisory ID RHSA-1999:025-01
     _________________________________________________________________
   
   Issue Date 1999-07-29
     _________________________________________________________________
   
   Keywords squid cachemgr.cgi connect
     _________________________________________________________________
   
   1. Topic:
   cachemgr.cgi, the manager interface to Squid, is installed by default
   in /home/httpd/cgi-bin. If a web server (such as apache) is running,
   this can allow remote users to sent connect() requests from the local
   machine to arbitrary hosts and ports.
   
   2. Bug IDs fixed:
   
   3. Relevant releases/architectures:
   Red Hat Linux 6.0, all architectures
   
   4. Obsoleted by:
   None
   
   5. Conflicts with:
   None
   
   6. RPMs required:
   
   Intel:
   
   [13]ftp://updates.redhat.com/6.0/i386/
   
   [14]squid-2.2.STABLE4-5.i386.rpm
   
   Alpha:
   
   [15]ftp://updates.redhat.com/6.0/alpha/
   
   [16]squid-2.2.STABLE4-5.alpha.rpm
   
   SPARC:
   
   [17]ftp://updates.redhat.com/6.0/sparc/
   
   [18]squid-2.2.STABLE4-5.sparc.rpm
   
   Source:
   
   [19]ftp://updates.redhat.com/6.0/SRPMS
   
   [20]squid-2.2.STABLE4-5.src.rpm
   
   7. Problem description:
   A remote user could enter a hostname/IP address and port number, and
   the cachemgr CGI would attempt to connect to that host and port,
   printing the error if it fails.
   
   8. Solution:
   For each RPM for your particular architecture, run:
   
   rpm -Uvh filename
   
   where filename is the name of the RPM.
   
   Alternatively, you can simply disable the cachemgr.cgi, by editing
   your http daemons access control files or deleting/moving the
   cachemgr.cgi binary.
   
   9. Verification:
 MD5 sum                           Package Name
 -------------------------------------------------------------------------
 80d527634fc8d8d2029532a628b3d924  squid-2.2.STABLE4-5.i386.rpm
 65d18747148d7e3dae4249fe65c18c6b  squid-2.2.STABLE4-5.alpha.rpm
 734f84b949752fe39b5e58555210ff51  squid-2.2.STABLE4-5.sparc.rpm
 02a93b0b1985f8d5c77eb8f3e8981eeb  squid-2.2.STABLE4-5.src.rpm




   These packages are also PGP signed by Red Hat Inc. for security. Our
   key is available at: [21]http://www.redhat.com/corp/contact.html
   
   You can verify each package with the following command: rpm --checksig
   
   If you only wish to verify that each package has not been corrupted o
   tampered with, examine only the md5sum with the following command: rpm
   --checksig --nopgp
   
   10. References:
     _________________________________________________________________
   
   [22]Home  |  [23]Products & Services  |  [24]Store  |  [25]Download  |
    [26]Product Support
   [27]Partners & Programs  |  [28]Community Center  |  [29]News & Views
   |  [30]Application Marketplace
   [31]Knowledgebase  |  [32]Legal Statement  |  [33]Privacy Statement  |
    [34]Y2K Statement  |  [35]Join  |  [36]Feedback
   
   copyright © 1999 Red Hat, Inc. All rights reserved.

References

   1. http://www.redhat.com/index.html
   2. http://www.redhat.com/index.html
   3. http://www.redhat.com/products/
   4. http://www.redhat.com/commerce/
   5. http://www.redhat.com/download/
   6. http://www.redhat.com/support/
   7. http://ad.doubleclick.net/jump/www.redhat.com/;sz=234x60;ord=N7vx0ce3GIwAAF7CSTk
   8. http://www.redhat.com/support/
   9. http://www.redhat.com/cgi-bin/support#install
  10. http://www.redhat.com/corp/support/hardware/index.html
  11. http://www.redhat.com/corp/support/docs/index.html
  12. http://www.redhat.com/corp/support/manuals/index.html
  13. ftp://updates.redhat.com/6.0/i386/
  14. ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm
  15. ftp://updates.redhat.com/6.0/alpha/
  16. ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm
  17. ftp://updates.redhat.com/6.0/sparc/
  18. ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm
  19. ftp://updates.redhat.com/6.0/SRPMS/
  20. ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm
  21. http://www.redhat.com/corp/contact.html
  22. http://www.redhat.com/index.html
  23. http://www.redhat.com/products/
  24. http://www.redhat.com/commerce/
  25. http://www.redhat.com/download/
  26. http://www.redhat.com/cgi-bin/support/
  27. http://www.redhat.com/partners/
  28. http://www.redhat.com/community/
  29. http://www.redhat.com/news/
  30. http://www.redhat.com/appindex/
  31. http://www.redhat.com/knowledgebase/
  32. http://www.redhat.com/legal/legal_statement.html
  33. http://www.redhat.com/legal/privacy_statement.html
  34. http://www.redhat.com/legal/legal_statement.html#y2k
  35. http://www.redhat.com/join/
  36. http://www.redhat.com/feedback.html