OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: secureconectiva.com.br
Date: Fri Jul 05 2002 - 09:45:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : squid
    SUMMARY : Several vulnerabilities
    DATE : 2002-07-05 11:42:00
    ID : CLA-2002:506
    RELEVANT
    RELEASES : 6.0, 7.0, 8

    - -------------------------------------------------------------------------

    DESCRIPTION
     Squid is a caching/proxy daemon for HTTP, FTP and gopher.
     
     The squid team released squid 2.4.stable7 which fixes a number of
     remote vulnerabilities[1] in previous versions:
     
     - Gopher client buffer overflows[2]
     - FTP directory parsing buffer overflow[3]
     - FTP data channel sanity check[4]
     - Proxy authentication credentials forward[5]
     
     An attacker can exploit some of these vulnerabilities to execute
     arbitrary code remotely as the user running squid (which in Conectiva
     Linux is "proxy" or "nobody"), cause a Denial-of-Service (DoS) in the
     server or inject/get invalid data in/from the network.
     
     This new release also drops any requests using transfer-encoding[6]
     in order to avoid exploits of a known issue[7] in vulnerable apache
     web servers. This does not affect the functionality of squid since it
     is a HTTP/1.0 proxy and as such it does not support transfer-encoding
     requests.

    SOLUTION
     It is recommended that all squid users upgrade to the latest
     packages. This update will automatically restart the service if it is
     already running.
     
     
     REFERENCES:
     1.http://www.squid-cache.org/Advisories/SQUID-2002_3.txt
     2.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE6-gopher
     3.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE6-ftp_directories
     4.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE6-ftp_sanitycheck
     5.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE6-proxy_auth
     6.http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE6-deny_transfer_encoding
     7.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000498&idioma=en

    DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/squid-2.4.7-1U60_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/squid-2.4.7-1U60_3cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-2.4.7-1U70_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-auth-2.4.7-1U70_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-doc-2.4.7-1U70_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/squid-templates-2.4.7-1U70_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/squid-2.4.7-1U70_3cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-2.4.7-1U8_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-auth-2.4.7-1U8_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-doc-2.4.7-1U8_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-templates-2.4.7-1U8_3cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/SRPMS/squid-2.4.7-1U8_3cl.src.rpm

    ADDITIONAL INSTRUCTIONS
     Users of Conectiva Linux version 6.0 or higher may use apt to perform
     upgrades of RPM packages:
     - add the following line to /etc/apt/sources.list if it is not there yet
       (you may also use linuxconf to do this):

     rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

    (replace 6.0 with the correct version number if you are not running CL6.0)

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions reagarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribepapaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribepapaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9JbEB42jd0JmAcZARAhgWAJ9FZwMs62TVL1//hH//dkuBfC5PawCeIyTh
    6spKP6ZZnwmN5RUHu4bIbro=
    =9gtP
    -----END PGP SIGNATURE-----