[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1CNPVg-000pvOC__43997.3230394118$1099066038$gmane$org@finlandia.Infodrom.North.DE>
Date: Fri, 29 Oct 2004 07:41:12 +0200 (CEST)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 576-1] New Squid packages fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 576-1 security@...ian.org
http://www.debian.org/security/ Martin Schulze
October 29th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : squid
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-1999-0710 CAN-2004-0918
Debian Bug : 133131
Several security vulnerabilities have been discovered in Squid, the
internet object cache, the popular WWW proxy cache. The Common
Vulnerabilities and Exposures project identifies the following
problems:
CVE-1999-0710
It is possible to bypass access lists and scan arbitrary hosts and
ports in the network through cachemgr.cgi, which is installed by
default. This update disables this feature and introduces a
configuration file (/etc/squid/cachemgr.conf) to control
this behavier.
CAN-2004-0918
The asn_parse_header function (asn1.c) in the SNMP module for
Squid allows remote attackers to cause a denial of service via
certain SNMP packets with negative length fields that causes a
memory allocation error.
For the stable distribution (woody) these problems have been fixed in
version 2.4.6-2woody4.
For the unstable distribution (sid) these problems have been fixed in
version 2.5.7-1.
We recommend that you upgrade your squid package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4.dsc
Size/MD5 checksum: 612 ecf99211ec91dfb34bd6089ec9ae1b53
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4.diff.gz
Size/MD5 checksum: 226359 4e6ade338491ef8569035c4aecc855ef
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz
Size/MD5 checksum: 1081920 59ce2c58da189626d77e27b9702ca228
Alpha architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_alpha.deb
Size/MD5 checksum: 814832 cca13d30e0f1f8910a07fa5ab70c861e
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_alpha.deb
Size/MD5 checksum: 75250 421fd4ee596d4c9993ba5f8778eaef2f
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_alpha.deb
Size/MD5 checksum: 59996 62c1544bce8c872e6c1b3fdce5e94475
ARM architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_arm.deb
Size/MD5 checksum: 724816 e2076225318e14b3c8bff10a40cdf7f9
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_arm.deb
Size/MD5 checksum: 73026 4bc2cc0d5d0d29992ffd1b9a82653e21
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_arm.deb
Size/MD5 checksum: 58332 408e227f29d0aa923044beedc3e7c92e
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_i386.deb
Size/MD5 checksum: 684008 0a09e40e20659cebdbab638f1cbc009b
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_i386.deb
Size/MD5 checksum: 72762 9e32b4f77446d9172b381f52f18a11eb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_i386.deb
Size/MD5 checksum: 57912 5b8e0c713676845dc5a7263a44dd56cd
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_ia64.deb
Size/MD5 checksum: 952836 db5e0a6fc0863bdebbf579f957121da6
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_ia64.deb
Size/MD5 checksum: 79144 7b9eb001137d25be30d9b8400d6aee39
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_ia64.deb
Size/MD5 checksum: 62682 af3f6bdb3de9bdae20896f630eeb4b60
HP Precision architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_hppa.deb
Size/MD5 checksum: 778974 59f67088877baa7baf90e60a4f3317a6
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_hppa.deb
Size/MD5 checksum: 74462 118f494f5079eda3ba1b52d1462f4012
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_hppa.deb
Size/MD5 checksum: 59482 cbef83fb6fbb50ad47d318a821dc7358
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_m68k.deb
Size/MD5 checksum: 665202 51cc52fe2a265c63cbaed727fad15a99
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_m68k.deb
Size/MD5 checksum: 72378 07708d039b0cf46ee7c6628ad7e4bcbf
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_m68k.deb
Size/MD5 checksum: 57584 5102473e069bac195482ed6385def788
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_mips.deb
Size/MD5 checksum: 764682 62488f6104b371b6107b39b6b4bcaeda
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_mips.deb
Size/MD5 checksum: 73928 14f1391ec0888964efebe1ba7a11f220
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_mips.deb
Size/MD5 checksum: 58636 0123e6dba5c165033e3ce6dd60c8d89a
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_mipsel.deb
Size/MD5 checksum: 764144 8cb8b84931df0d8b271e5c2f8a010fb2
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_mipsel.deb
Size/MD5 checksum: 74030 ee3349da5a1634891ed67136c9989fc6
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_mipsel.deb
Size/MD5 checksum: 58736 75c8d8c7d15b149f3c0a1bdccae59df8
PowerPC architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_powerpc.deb
Size/MD5 checksum: 721856 283001554d7096f5ddc4126231ef6807
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_powerpc.deb
Size/MD5 checksum: 73014 4a6e19209a8dd04cdc74e474abeb16e5
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_powerpc.deb
Size/MD5 checksum: 58220 7424479351cd71563de79769b90911d1
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_s390.deb
Size/MD5 checksum: 711276 8cab4b4e4a1f89b36aac29fc59613c91
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_s390.deb
Size/MD5 checksum: 73348 d677789f48da35c39467674bc165065a
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_s390.deb
Size/MD5 checksum: 58784 f8d217932f607b381a17b5f798e3352a
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_sparc.deb
Size/MD5 checksum: 723958 41dce5c7e630c0b0ecedbed8acba2e7a
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_sparc.deb
Size/MD5 checksum: 75644 f4af52384e6190450d5fc46ca3b66a82
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_sparc.deb
Size/MD5 checksum: 60660 3a44a74fe3bcf2dd714f308cd4708a89
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBgdf3W5ql+IAeqTIRAuoiAKCPBpTgkA8EZSrCteAxeghkLpqFCACeL8iz
jy5uf0Bj98dyYZgxALs00PE=
=ygMY
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists