From security@caldera.com Sun Mar 31 16:47:52 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com Date: Fri, 29 Mar 2002 11:41:05 -0800 Subject: Security Update: [CSSA-2002-010.0] Linux: ftp vulnerability in squid To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: ftp vulnerability in squid Advisory number: CSSA-2002-010.0 Issue date: 2002, March 18 Cross reference: ______________________________________________________________________________ 1. Problem Description If certain constructed ftp:// style URL's are received, then squid crashes, causing a denial of service and possibly remote execution of code. 2. Vulnerable Supported Versions System Package ----------------------------------------------------------- OpenLinux Server 3.1 All packages previous to squid-2.4.STABLE2-3 OpenLinux Workstation 3.1 All packages previous to squid-2.4.STABLE2-3 OpenLinux Server 3.1.1 All packages previous to squid-2.4.STABLE2-3 OpenLinux Workstation All packages previous to 3.1.1 squid-2.4.STABLE2-3 3. Solution Workaround none The proper solution is to upgrade to the latest packages. 4. OpenLinux 3.1 Server 4.1 Location of Fixed Packages The 3.1 version of this package is not yet available. An updated advisory will be published when the package is released. 5. OpenLinux 3.1 Workstation 5.1 Location of Fixed Packages The 3.1 version of this package is not yet available. An updated advisory will be published when the package is released. 6. OpenLinux 3.1.1 Server 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 6.2 Verification 29ca65972c56e9a35a2181ce75bf23a2 RPMS/squid-2.4.STABLE2-3.i386.rpm 863ac8d6f199d9ebec518f85a6811026 SRPMS/squid-2.4.STABLE2-3.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh squid-2.4.STABLE2-3.i386.rpm 7. OpenLinux 3.1.1 Workstation 7.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS 7.2 Verification 29ca65972c56e9a35a2181ce75bf23a2 RPMS/squid-2.4.STABLE2-3.i386.rpm 863ac8d6f199d9ebec518f85a6811026 SRPMS/squid-2.4.STABLE2-3.src.rpm 7.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh squid-2.4.STABLE2-3.i386.rpm 8. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr860954, fz520237, erg711971. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 10. Acknowledgements The ftp vulnerability was discovered by Jouko Pynnonen . ______________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]