1. Topic:
cachemgr.cgi, the manager interface to Squid, is installed by default in /home/httpd/cgi-bin. If a web server (such as apache) is running, this can allow remote users to sent connect() requests from the local machine to arbitrary hosts and ports.

2. Bug IDs fixed:

3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures

4. Obsoleted by:
None

5. Conflicts with:
None

6. RPMs required:

Intel:

ftp://updates.Red Hat.com/6.0/i386/

squid- 2.2.STABLE4-5.i386.rpm

Alpha:

ftp://updates.Red Hat.com/6.0/alpha/

squid-2.2.STABLE4-5.alpha.rpm

SPARC:

ftp://updates.Red Hat.com/6.0/sparc/

squid-2.2.STABLE4-5.sparc.rpm

Source:

ftp://updates.Red Hat.com/6.0/SRPMS

squid- 2.2.STABLE4-5.src.rpm

7. Problem description:
A remote user could enter a hostname/IP address and port number, and the cachemgr CGI would attempt to connect to that host and port, printing the error if it fails.

8. Solution:
For each RPM for your particular architecture, run:

rpm -Uvh filename

where filename is the name of the RPM.

Alternatively, you can simply disable the cachemgr.cgi, by editing your http daemons access control files or deleting/moving the cachemgr.cgi binary.

After installing the rpm, please restart squid by typing:

/etc/rc.d/init.d/squid restart

9. Verification:

 MD5 sum                           Package Name

 -------------------------------------------------------------------------

 80d527634fc8d8d2029532a628b3d924  squid-2.2.STABLE4-5.i386.rpm

 65d18747148d7e3dae4249fe65c18c6b  squid-2.2.STABLE4-5.alpha.rpm

 734f84b949752fe39b5e58555210ff51  squid-2.2.STABLE4-5.sparc.rpm

 02a93b0b1985f8d5c77eb8f3e8981eeb  squid-2.2.STABLE4-5.src.rpm





 

You can verify each package with the following command: rpm --checksig

If you only wish to verify that each package has not been corrupted o tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp

10. References: