squid -- no sanity check of usernames in squid_ldap_auth

(My first attempt to update this thing. Hope all goes fine!)

PR:		ports/76364
Submitted by:	Thomas-Martin Seck <tmseck@netcologne.de>

1 files changed, 37 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 212ada8d8cf3..c436241480f8 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -32,6 +32,43 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="7a921e9e-68b1-11d9-9e1e-c296ac722cb3">
+    <topic>squid -- no sanity check of usernames in squid_ldap_auth</topic>
+    <affects>
+      <package>
+	<name>squid</name>
+	<range><lt>2.5.7_7</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The LDAP authentication helper did not strip
+	  leading or trailing spaces from the login name.
+	  According to the squid patches page:</p>
+	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces">
+	  <p>LDAP is very forgiving about spaces in search
+	    filters and this could be abused to log in
+	    using several variants of the login name,
+	    possibly bypassing explicit access controls
+	    or confusing accounting.</p>
+	  <p>Workaround: Block logins with spaces</p>
+	    <pre>
+	    acl login_with_spaces proxy_auth_regex [:space:]
+		    http_access deny login_with_spaces
+	    </pre>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces</url>
+      <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1187</url>
+    </references>
+    <dates>
+      <discovery>2005-01-10</discovery>
+      <entry>YYYY-MM-DD</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="990cf07e-6988-11d9-a9e7-0001020eed82">
     <topic>cups-base -- CUPS server remote DoS vulnerability</topic>
     <affects>