Hi all,
I'm using Squid 2.5.STABLE10, and since I can't afford to migrate to a
newer Squid release on my platform, I'd like to get a status on whether
this version of Squid is impacted by the CAN-2005-3258 vulnerability or not.
A patch for squid 2.5.STABLE11 exists for this issue:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape
After a quick try, it seems this patch does not apply on squid
2.5.STABLE10, mainly because squid 2.5.STABLE10 needs at first another
patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-ftp_basehref
As far as I can see, the rfc1738_do_escape patch fixes some stuffs in
the ftp_basehref patch itself, rather than flaws in squid 2.5.STABLE10.
As a consequence, I wonder if the latter patch has introduced the
vulnerability or if it was existing anyway.
Can someone tell me if the code from squid 2.5.STABLE10 is affected by
this vulnerability?
Another possiblity to know the answer would be to try to reproduce the
issue with squid 2.5.STABLE10. The bug-tracker highlights that some FTP
URL are likely to force the crash. Any hints?
Thanks in advance for your time
--
Aurelien
This message contains information that may be privileged or confidential and is
the property of the Capgemini Group. It is intended only for the person to whom
it is addressed. If you are not the intended recipient, you are not authorized
to read, print, retain, copy, disseminate, distribute, or use this message or
any part thereof. If you receive this message in error, please notify the
sender immediately and delete all copies of this message.
