From security@mandriva.com Wed Oct 12 02:12:18 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Wed, 12 Oct 2005 00:08:57 -0600 Subject: [Full-disclosure] MDKSA-2005:181 - Updated squid packages fix vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: squid Advisory ID: MDKSA-2005:181 Date: October 11th, 2005 Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0, Corporate Server 2.1, Multi Network Firewall 2.0 ______________________________________________________________________ Problem Description: Squid 2.5.9, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart). The updated packages have been patched to address these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2917 ______________________________________________________________________ Updated Packages: Mandrivalinux 10.1: 2159ad83fce0c0e07abec59e859173df 10.1/RPMS/squid-2.5.STABLE9-1.4.101mdk.i586.rpm c068938f3b353ac957c2781fdf3a668b 10.1/SRPMS/squid-2.5.STABLE9-1.4.101mdk.src.rpm Mandrivalinux 10.1/X86_64: 5d348dff4c6af7f6fadb7a082949a625 x86_64/10.1/RPMS/squid-2.5.STABLE9-1.4.101mdk.x86_64.rpm c068938f3b353ac957c2781fdf3a668b x86_64/10.1/SRPMS/squid-2.5.STABLE9-1.4.101mdk.src.rpm Mandrivalinux 10.2: c720af4bcd25b1601a78a288207dcbef 10.2/RPMS/squid-2.5.STABLE9-1.4.102mdk.i586.rpm 05710a48508987ad1a3f8610befb3545 10.2/SRPMS/squid-2.5.STABLE9-1.4.102mdk.src.rpm Mandrivalinux 10.2/X86_64: 6652fcb5d9cb565d66e687ae8cd4621b x86_64/10.2/RPMS/squid-2.5.STABLE9-1.4.102mdk.x86_64.rpm 05710a48508987ad1a3f8610befb3545 x86_64/10.2/SRPMS/squid-2.5.STABLE9-1.4.102mdk.src.rpm Mandrivalinux 2006.0: b1f84290d8148feeb4243d8662842f1e 2006.0/RPMS/squid-2.5.STABLE10-10.1.20060mdk.i586.rpm 6c1db02fae65e9202b26ecbeb06600f3 2006.0/RPMS/squid-cachemgr-2.5.STABLE10-10.1.20060mdk.i586.rpm 66e697ada09d6727c0b1cce0b535519a 2006.0/SRPMS/squid-2.5.STABLE10-10.1.20060mdk.src.rpm Mandrivalinux 2006.0/X86_64: f8d2a35075a4515961707d52a4e54795 x86_64/2006.0/RPMS/squid-2.5.STABLE10-10.1.20060mdk.x86_64.rpm 7f21b2f3e03ee10535b6e6204bd90f66 x86_64/2006.0/RPMS/squid-cachemgr-2.5.STABLE10-10.1.20060mdk.x86_64.rpm 66e697ada09d6727c0b1cce0b535519a x86_64/2006.0/SRPMS/squid-2.5.STABLE10-10.1.20060mdk.src.rpm Multi Network Firewall 2.0: d50ee470ba3e48c31c1d9d182ceb94f4 mnf/2.0/RPMS/squid-2.5.STABLE9-1.4.M20mdk.i586.rpm 28c692f3fe6e26ec18e6f9c5df90247a mnf/2.0/SRPMS/squid-2.5.STABLE9-1.4.M20mdk.src.rpm Corporate Server 2.1: 28f055d1dac940a09bf8d75739640e47 corporate/2.1/RPMS/squid-2.4.STABLE7-2.9.C21mdk.i586.rpm 1f673b3a7aad68b685463b96b8569157 corporate/2.1/SRPMS/squid-2.4.STABLE7-2.9.C21mdk.src.rpm Corporate Server 2.1/X86_64: d5d6450ca3c426b16a9c36b9b4030f6c x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.9.C21mdk.x86_64.rpm 1f673b3a7aad68b685463b96b8569157 x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.9.C21mdk.src.rpm Corporate 3.0: 5877b6bf476c146d95b78dc62908721a corporate/3.0/RPMS/squid-2.5.STABLE9-1.4.C30mdk.i586.rpm 9ab3c4c41fb8bd2bdeb84f753e270bda corporate/3.0/SRPMS/squid-2.5.STABLE9-1.4.C30mdk.src.rpm Corporate 3.0/X86_64: 0d71ddfef090edb5ed2d0166a688b7a4 x86_64/corporate/3.0/RPMS/squid-2.5.STABLE9-1.4.C30mdk.x86_64.rpm 9ab3c4c41fb8bd2bdeb84f753e270bda x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.4.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDTKh5mqjQ0CJFipgRArdZAKDlrB2Rd3kuMYJhukvGlddk6otNOQCg1n0u q4X1pkfIEY9dUrOqLvya22M= =wGZ3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/