The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[CLA-2005:923] Conectiva Security Announcement - squid


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 26 Jan 2005 13:44:16 -0200
To: [email protected], [email protected],
Subject: [CLA-2005:923] Conectiva Security Announcement - squid
From: Conectiva Updates <secure@conectiva.com.br.>
X-Mailer: SAC - Sistema de Anuncios Conectiva v1.2 (PHP/3.0.18)
X-Bogosity: No, tests=bogofilter, spamicity=0.004933, version=0.16.3
X-Virus-Scanned: antivirus-gw at tyumen.ru

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------


PACKAGE   : squid
SUMMARY   : Fixes for squid vulnerabilities
DATE      : 2005-01-26 13:41:00
ID        : CLA-2005:923
RELEVANT
RELEASES  : 9, 10

- -------------------------------------------------------------------------


DESCRIPTION
 Squid[1] is a full-featured web proxy cache.
 
 This announcement adds the following patches to Squid:
 
 1.Empty ACLs[2]
   The meaning of the access controls becomes somewhat confusing if
 any of the referenced acls is declared empty, without any members.
 
 
 2.Fakeauth_auth[3]
   The NTLM fakeauth_auth helper has a memory leak that may cause it
 to run out of memory under high load, or if it runs for a very long
 time. Additionally, a malformed NTLM type 3 message could cause a
 segmentation violation.
 
 
 3.LDAP spaces[4]
   LDAP is very forgiving about spaces in search filters and this
 could be abused to log in using several variants of the login name,
 possibly bypassing explicit access controls or confusing accounting
 
 
 4.Non blocking disk[5]
   O_NONBLOCK on disk files is not is not standardized, and results
 may be unexpected. Linux now starts to add O_NONBLOCK support on disk
 files but the implementation is not complete yet and this bites
 Squid.
 
 
 5.Gopher html parsing[6]
   A malicious gopher server may return a response with very long
 lines that cause a buffer overflow in Squid.
 
 
 6.WCCP denial of service[7]
   WCCP_I_SEE_YOU messages contain a 'number of caches' field which
 should be between 1 and 32. Values outside that range may crash Squid
 if WCCP is enabled, and if an attacker can spoof UDP packets with the
 WCCP router's IP address.
 
 
 7.SNMP core dump[8]
   If certain malformed SNMP request is received Squid restarts with a
 Segmentation Fault error.
 
 
 Aditionally, this announcement increases the Squid's initscript
 timeout for waiting it to stop from 10 seconds to 35 seconds,
 avoiding problems with stuck connections.


SOLUTION
 It is recommended that all squid users upgrade to the latest
 packages. This update will automatically restart the service if it is
 already running.
 
 
 REFERENCES
 1.http://squid.nlanr.net/
 2.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls
 3.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth
 4.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces
 5.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-non_blocking_disk
 6.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing
 7.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service
 8.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/squid-2.5.5-63116U10_6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/squid-2.5.5-63116U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/squid-auth-2.5.5-63116U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/squid-extra-templates-2.5.5-63116U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/squid-2.5.5-25761U90_9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-2.5.5-25761U90_9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-auth-2.5.5-25761U90_9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-extra-templates-2.5.5-25761U90_9cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade


 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en


- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en


- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com


- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


iD8DBQFB97rO42jd0JmAcZARAqCWAJ4zZ3bYMYqrbbmwxOaP1oVCg3W6tACg3k6U
sQB1t8gIRJ1koYueHBDxxKU=
=aVJr
-----END PGP SIGNATURE-----



<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру