______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: squid Advisory ID: MDKSA-2002:027 Date: April 16th, 2002 Affected versions: 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1, Single Network Firewall 7.2 ______________________________________________________________________ Problem Description: A security issue has recently been found and fixed in the Squid-2.X releases up to and including 2.4.STABLE4. Error and boundary conditions were not checked when handling compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV. ______________________________________________________________________ References: http://www.squid-cache.org/Advisories/SQUID-2002_2.txt ______________________________________________________________________ Updated Packages: Linux-Mandrake 7.1: a8521febeb22c7a61d39fc03694ce8fa 7.1/RPMS/squid-2.4.STABLE6-1.3mdk.i586.rpm b6277223c10037008cc296ed4246c2fa 7.1/SRPMS/squid-2.4.STABLE6-1.3mdk.src.rpm Linux-Mandrake 7.2: 07b6200cb3429e12fa17c55d0905c098 7.2/RPMS/squid-2.4.STABLE6-1.3mdk.i586.rpm b6277223c10037008cc296ed4246c2fa 7.2/SRPMS/squid-2.4.STABLE6-1.3mdk.src.rpm Mandrake Linux 8.0: 4f19e1c8f64f4c42cbffdb493dd8aef0 8.0/RPMS/squid-2.4.STABLE6-1.2mdk.i586.rpm 501b0506b806ec4e1621d772ed35f8c2 8.0/SRPMS/squid-2.4.STABLE6-1.2mdk.src.rpm Mandrake Linux 8.0/ppc: 6edade11924a82f716b41ab113ff158f ppc/8.0/RPMS/squid-2.4.STABLE6-1.2mdk.ppc.rpm 501b0506b806ec4e1621d772ed35f8c2 ppc/8.0/SRPMS/squid-2.4.STABLE6-1.2mdk.src.rpm Mandrake Linux 8.1: 92dd6f13a2cc1e67159a35f195788ce3 8.1/RPMS/squid-2.4.STABLE6-1.1mdk.i586.rpm ffa0862cb28670c146aa60c3ddfffd89 8.1/SRPMS/squid-2.4.STABLE6-1.1mdk.src.rpm Mandrake Linux 8.1/ia64: 5090519d39c53bfef418e5cf06835c97 ia64/8.1/RPMS/squid-2.4.STABLE6-1.1mdk.ia64.rpm ffa0862cb28670c146aa60c3ddfffd89 ia64/8.1/SRPMS/squid-2.4.STABLE6-1.1mdk.src.rpm Mandrake Linux 8.2: 48854ffb620b739d98bf2a4d93aa761e 8.2/RPMS/squid-2.4.STABLE6-1.1mdk.i586.rpm ffa0862cb28670c146aa60c3ddfffd89 8.2/SRPMS/squid-2.4.STABLE6-1.1mdk.src.rpm Mandrake Linux 8.2/ppc: 56232a6132d8761f53c93f8bbc9a5127 ppc/8.2/RPMS/squid-2.4.STABLE6-1.1mdk.ppc.rpm ffa0862cb28670c146aa60c3ddfffd89 ppc/8.2/SRPMS/squid-2.4.STABLE6-1.1mdk.src.rpm Corporate Server 1.0.1: a8521febeb22c7a61d39fc03694ce8fa 1.0.1/RPMS/squid-2.4.STABLE6-1.3mdk.i586.rpm b6277223c10037008cc296ed4246c2fa 1.0.1/SRPMS/squid-2.4.STABLE6-1.3mdk.src.rpm Single Network Firewall 7.2: 07b6200cb3429e12fa17c55d0905c098 snf7.2/RPMS/squid-2.4.STABLE6-1.3mdk.i586.rpm b6277223c10037008cc296ed4246c2fa snf7.2/SRPMS/squid-2.4.STABLE6-1.3mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security@linux-mandrake.com ______________________________________________________________________