Date: Fri, 29 Mar 2002 11:41:05 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-010.0] Linux: ftp vulnerability in squid
--1SQmhf2mF2YjsYvc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: [email protected][email protected] security-alerts@li=
nuxsecurity.com
___________________________________________________________________________=
___
Caldera International, Inc. Security Advisory
Subject: Linux: ftp vulnerability in squid
Advisory number: CSSA-2002-010.0
Issue date: 2002, March 18
Cross reference:
___________________________________________________________________________=
___
1. Problem Description
If certain constructed ftp:// style URL's are received, then squid
crashes, causing a denial of service and possibly remote execution of
code.
2. Vulnerable Supported Versions
System Package
-----------------------------------------------------------
OpenLinux Server 3.1 All packages previous to
squid-2.4.STABLE2-3 =20
OpenLinux Workstation 3.1 All packages previous to
squid-2.4.STABLE2-3
OpenLinux Server 3.1.1 All packages previous to =20
squid-2.4.STABLE2-3 =20
=20
OpenLinux Workstation All packages previous to =20
3.1.1 squid-2.4.STABLE2-3 =20
=20
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 3.1 Server
4.1 Location of Fixed Packages
The 3.1 version of this package is not yet available. An updated
advisory will be published when the package is released.
=20
5. OpenLinux 3.1 Workstation
5.1 Location of Fixed Packages
The 3.1 version of this package is not yet available. An updated
advisory will be published when the package is released.
=20
6. OpenLinux 3.1.1 Server
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRP=
MS
6.2 Verification
29ca65972c56e9a35a2181ce75bf23a2 RPMS/squid-2.4.STABLE2-3.i386.rpm
863ac8d6f199d9ebec518f85a6811026 SRPMS/squid-2.4.STABLE2-3.src.rpm
=20
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh squid-2.4.STABLE2-3.i386.rpm
=20
7. OpenLinux 3.1.1 Workstation
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/curren=
t/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/curren=
t/SRPMS
7.2 Verification
29ca65972c56e9a35a2181ce75bf23a2 RPMS/squid-2.4.STABLE2-3.i386.rpm
863ac8d6f199d9ebec518f85a6811026 SRPMS/squid-2.4.STABLE2-3.src.rpm
=20
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh squid-2.4.STABLE2-3.i386.rpm
=20
8. References
Specific references for this advisory:
none
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
This security fix closes Caldera incidents sr860954, fz520237,
erg711971.
9. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through
our security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
Caldera International products.
10. Acknowledgements
The ftp vulnerability was discovered by Jouko Pynnonen
<[email protected]>.
___________________________________________________________________________=
___
--1SQmhf2mF2YjsYvc
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjykw1AACgkQbluZssSXDTFGJACdE5wVuCWvT9zJ+VCyKX3zcj1a
W8MAoKPSBwfrJ8pivAbf8SdNYolRUdgO
=RSEs
-----END PGP SIGNATURE-----
--1SQmhf2mF2YjsYvc--
