Date: Fri, 22 Feb 2002 16:22:23 +0100
From: (Trustix Secure Linux Advisor) <[email protected]>
To: [email protected]Subject: TSLSA-2002-0031 - squid
Cc: [email protected], [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Bugfix Advisory #2002-0031
Package name: squid-cron
Summary: Security update
Date: 2002-02-22
Affected versions: TSL 1.01, 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description:
From the Squid advisory at
http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
Three security issues have recently been found in the Squid-2.X
releases up to and including 2.4.STABLE3.
a) A memory leak in the optional SNMP interface to Squid,
allowing an malicious user who can send packets to the Squid SNMP
port to possibly perform an denial of service attack on the Squid
proxy service if the SNMP interface has been enabled (disabled by
default).
b) A buffer overflow in the implementation of ftp:// URLs where
users who are allowed to proxy ftp:// URLs via Squid can perform
an denial of service on the proxy service, and possibly even
trigger remote execution of code (not yet confirmed).
c) The optional HTCP interface cannot be properly disabled from
squid.conf even if the documentation claims it can. The HTCP
interface to Squid is not enabled by default, but can be enabled
at compile time using the --enable-htcp configure option and some
vendors distribute Squid binaries with HTCP enabled.
Action:
We recommend that all systems with this package installed are upgraded.
Note that due to a packaging error in TSL 1.2 and earlier, the swup tool
can not be used to upgrade this package (again in TSL 1.2 and earlier)
and you will need to give the --oldpackage argument to rpm when upgrading.
Typically, that is
rpm -Fvh --oldpackage squid-2.4.STABLE4-1tr.i586.rpm
Location:
All TSL updates are available from
<URI:http://www.trustix.net/pub/Trustix/updates/>;
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>;
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>;
Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:http://www.trustix.net/pub/Trustix/testing/>;
<URI:ftp://ftp.trustix.net/pub/Trustix/testing/>;
Questions?
Check out our mailing lists:
<URI:http://www.trustix.net/support/>;
Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:http://www.trustix.net/TSL-GPG-KEY>;
The advisory itself is available from the errata pages at
<URI:http://www.trustix.net/errata/trustix-1.2/>;
<URI:http://www.trustix.net/errata/trustix-1.5/>;
or directly at
<URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0031-squid.asc.txt>;
MD5sums of the packages:
- --------------------------------------------------------------------------
e30e406a2e6f241e9eb5639ae939cf70 ./1.5/SRPMS/squid-2.4.STABLE4-1tr.src.rpm
3b495cb2a47b3aba7b44c1c4135d8ac7 ./1.5/RPMS/squid-2.4.STABLE4-1tr.i586.rpm
e30e406a2e6f241e9eb5639ae939cf70 ./1.2/SRPMS/squid-2.4.STABLE4-1tr.src.rpm
ff158589fc17a67ad47a65d824a5876e ./1.2/RPMS/squid-2.4.STABLE4-1tr.i586.rpm
e30e406a2e6f241e9eb5639ae939cf70 ./1.1/SRPMS/squid-2.4.STABLE4-1tr.src.rpm
9ea10e9c83acd3eb2c04f01f707e9f9a ./1.1/RPMS/squid-2.4.STABLE4-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8dkhjwRTcg4BxxS0RAukmAJ9sFaiSNXlk1uCF4kfCe9CbXdFiggCdGasX
ta/W7TdZcjc6KjZxM5wfuFk=
=L5N7
-----END PGP SIGNATURE-----
