From tsl@trustix.com Fri Feb 22 21:58:53 2002 From: Trustix Secure Linux Advisor To: tsl-announce@trustix.org Cc: bugtraq@securityfocus.com, linsec@lists.seifried.org Date: Fri, 22 Feb 2002 16:22:23 +0100 Subject: TSLSA-2002-0031 - squid -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Bugfix Advisory #2002-0031 Package name: squid-cron Summary: Security update Date: 2002-02-22 Affected versions: TSL 1.01, 1.1, 1.2, 1.5 - -------------------------------------------------------------------------- Problem description: From the Squid advisory at http://www.squid-cache.org/Advisories/SQUID-2002_1.txt Three security issues have recently been found in the Squid-2.X releases up to and including 2.4.STABLE3. a) A memory leak in the optional SNMP interface to Squid, allowing an malicious user who can send packets to the Squid SNMP port to possibly perform an denial of service attack on the Squid proxy service if the SNMP interface has been enabled (disabled by default). b) A buffer overflow in the implementation of ftp:// URLs where users who are allowed to proxy ftp:// URLs via Squid can perform an denial of service on the proxy service, and possibly even trigger remote execution of code (not yet confirmed). c) The optional HTCP interface cannot be properly disabled from squid.conf even if the documentation claims it can. The HTCP interface to Squid is not enabled by default, but can be enabled at compile time using the --enable-htcp configure option and some vendors distribute Squid binaries with HTCP enabled. Action: We recommend that all systems with this package installed are upgraded. Note that due to a packaging error in TSL 1.2 and earlier, the swup tool can not be used to upgrade this package (again in TSL 1.2 and earlier) and you will need to give the --oldpackage argument to rpm when upgrading. Typically, that is rpm -Fvh --oldpackage squid-2.4.STABLE4-1tr.i586.rpm Location: All TSL updates are available from Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at Questions? Check out our mailing lists: Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: The advisory itself is available from the errata pages at or directly at MD5sums of the packages: - -------------------------------------------------------------------------- e30e406a2e6f241e9eb5639ae939cf70 ./1.5/SRPMS/squid-2.4.STABLE4-1tr.src.rpm 3b495cb2a47b3aba7b44c1c4135d8ac7 ./1.5/RPMS/squid-2.4.STABLE4-1tr.i586.rpm e30e406a2e6f241e9eb5639ae939cf70 ./1.2/SRPMS/squid-2.4.STABLE4-1tr.src.rpm ff158589fc17a67ad47a65d824a5876e ./1.2/RPMS/squid-2.4.STABLE4-1tr.i586.rpm e30e406a2e6f241e9eb5639ae939cf70 ./1.1/SRPMS/squid-2.4.STABLE4-1tr.src.rpm 9ea10e9c83acd3eb2c04f01f707e9f9a ./1.1/RPMS/squid-2.4.STABLE4-1tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8dkhjwRTcg4BxxS0RAukmAJ9sFaiSNXlk1uCF4kfCe9CbXdFiggCdGasX ta/W7TdZcjc6KjZxM5wfuFk= =L5N7 -----END PGP SIGNATURE-----