Zwei Probleme in Sarg
ID: | 200803-21 |
Distribution: | Gentoo |
Plattformen: | Keine Angabe |
Datum: | Mi, 12. März 2008, 20:07 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1168 |
Applikationen: | sarg |
Originalnachricht |
|
--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Sarg: Remote execution of arbitrary code Date: March 12, 2008 Bugs: #212208, #212731 ID: 200803-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Sarg is vulnerable to the execution of arbitrary code when processed with untrusted input files. Background ========== Sarg (Squid Analysis Report Generator) is a tool that provides many informations about the Squid web proxy server users activities: time, sites, traffic, etc. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/sarg < 2.2.5 >= 2.2.5 Description =========== Sarg doesn't properly check its input for abnormal content when processing Squid log files. Impact ====== A remote attacker using a vulnerable Squid as a proxy server or a reverse-proxy server can inject arbitrary content into the "User-Agent" HTTP client header, that will be processed by sarg, which will lead to the execution of arbitrary code, or JavaScript injection, allowing Cross-Site Scripting attacks and the theft of credentials. Workaround ========== There is no known workaround at this time. Resolution ========== All sarg users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/sarg-2.2.5" References ========== [ 1 ] CVE-2008-1167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1167 [ 2 ] CVE-2008-1168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1168 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iQEVAwUBR9gn/jvRww8BFPxFAQKDDAf+KrfrsubFdJ0moJv085uyuwFgLQrKAXoi B6196qQK27oH8HiWz+6eybYPUXX+mwCg3B55S3NP88G1i+4nmLgDv1JjV5v85CBZ k+yMmR/vINzFx/38e1oUXUYFNUuo9JczSDunh+f0obSRjJT4Mn0U6kiGwW/82zpp Li2d2QNauSAQwghWLcmF06QpvnIasejpeEiPDl5n1ekoEmgEkivO8X/Tk/oQHkMM iiOz1/odcS3d1+1k3wPKn4THYrBPDvFLa49F1wvJOvgb2oW/kSbjvMZsnqZTUcg3 K12KwYhhrJ9fCEPgsljqGm8Q8AonCzZbwOcVQbXPGTo+C5Z1oKOmmw== =u45G -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- -- gentoo-announce@lists.gentoo.org mailing list |