[ MDVSA-2009:293 ] squidGuard

[dude67]

_______________________________________________________________________

Package : squidGuard
Date : November 3, 2009
Affected: 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in squidGuard:

Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote
attackers to cause a denial of service (application hang or loss of
blocking functionality) via a long URL with many / (slash) characters,
related to emergency mode. (CVE-2009-3700).

Multiple buffer overflows in squidGuard 1.4 allow remote attackers
to bypass intended URL blocking via a long URL, related to (1)
the relationship between a certain buffer size in squidGuard and a
certain buffer size in Squid and (2) a redirect URL that contains
information about the originally requested URL (CVE-2009-3826).

squidGuard was upgraded to 1.2.1 for MNF2/CS3/CS4 with additional
upstream security and bug fixes patches applied.

This update fixes these vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3700
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3826
_______________________________________________________________________