From: Mark J Cox <mjc@redhat.com>
To: Sebastian Krahmer <krahmer@suse.de>
Cc: vendor-sec@lst.de, joey@infodrom.north.de
Subject: Re: [vendor-sec] squid advisory

> a ACL bypass in squid. I did not see this here already, or
> is this an older issue?

It was made public on the Squid web site at the end of February; the "%xx"  
URL decoding function in Squid 2.5STABLE4 and earlier may allow remote
attackers to bypass url_regex ACLs via a URL with a NULL ("%00")
characterm, which causes Squid to use only a portion of the requested URL
when comparing it against the access control lists.  I thought I'd resent
the CVE name Stephen allocated to vendor-sec though I can't find it in the
archive.

       CAN-2004-0189

        http://marc.theaimsgroup.com/?l=squid-cvs&m=107956982502999&w=2
...

Can you check whether we are affected?