- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : squid
SUMMARY : Multiple vulnerabilities
DATE : 2002-02-27 12:27:00
ID : CLA-2002:464
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0
- -------------------------------------------------------------------------
DESCRIPTION
Squid is a high-performance proxy caching server.
Three security issues[1] have recently been found in the Squid-2.X
releases up to and including 2.4.STABLE3. From the Squid v2.4 patches
page[2]:
- Coredump on certain ftp:// style URL's[3]
If certain constructed ftp:// style URL's are received then squid
crashes, causing a denial of service (DoS) and maybe even remote
execution of code.
- SNMP memory leaks[4]
The SNMP implementation in Squid had several memory leaks possibly
causing a denial of service (DoS).
- Failure to disable the HTCP port[5]
"htcp_port 0" fails to completely disable the HTCP port as documented
in squid.conf, instead HTCP will be listening on a random port
number.
Aditionally, the following patches from the site were applied:
- Potential coredump on snmpwalk[6]
Fixes a coredump on snmpwalk in certain configurations.
- CONNECT/ssl core dump[7]
Squid crashes on CONNECT requests that are allowed by http_access but
denied by miss_access.
- Filedescriptor leakage in the aufs store[8]
Fixes a filedescriptor leakage in the "aufs" cache_dir store
implementation.
SOLUTION
It is recommended that all squid users upgrade to the latest
packages. This update will automatically restart the service if it is
already running.
REFERENCES:
1.http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
2.http://www.squid-cache.org/Versions/v2/2.4/bugs
3.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE3-ftp_coredump
4.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE3-SNMP_memory_leaks
5.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE3-htcp_off
6.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE2-snmpwalk_coredump
7.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE2-CONNECT_miss_access_core
8.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE2-aufs_fd_leak
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/squid-2.3.5-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/squid-2.3.5-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/squid-2.3.5-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/squid-2.3.5-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/squid-2.3.5-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/squid-2.3.5-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/squid-2.4.1-4U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-templates-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-doc-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-auth-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-2.4.1-4U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/squid-2.3.5-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/squid-2.3.5-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/squid-2.3.5-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/squid-2.3.5-1U50_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8fUo/42jd0JmAcZARAsMjAKDeaGdE+VvplWv3aSaCsVUolAlDogCfWoZ0
JvDOSfPhw4nEKni+LzJeais=
=1Dxs
-----END PGP SIGNATURE-----
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
