lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1DRSyt-0007kP-9b@mercury.mandriva.com>
Date: Fri Apr 29 11:44:29 2005
From: security at mandriva.com (Mandriva Security Team)
Subject: MDKSA-2005:078 - Updated squid packages fix
	vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           squid
 Advisory ID:            MDKSA-2005:078
 Date:                   April 28th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Squid 2.5, when processing the configuration file, parses empty Access 
 Control Lists (ACLs), including proxy_auth ACLs without defined auth 
 schemes, in a way that effectively removes arguments, which could allow 
 remote attackers to bypass intended ACLs if the administrator ignores 
 the parser warnings. (CAN-2005-0194)
 
 Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape 
 Set-Cookie recommendations for handling cookies in caches, may cause 
 Set-Cookie headers to be sent to other users, which allows attackers to 
 steal the related cookies. (CAN-2005-0626)
 
 Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial 
 of service (segmentation fault) by aborting the connection during a (1) 
 PUT or (2) POST request, which causes Squid to access previosuly freed 
 memory. (CAN-2005-0718)
 
 In addition, due to subtle bugs in the previous backported updates of 
 squid (Bugzilla #14209), all the squid-2.5 versions have been updated to 
 squid-2.5.STABLE9 with all the STABLE9 patches from the squid developers.
 
 The updated packages are patched to fix these problems.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0194
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0626
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0718
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 19b0bdb45e358fbccc080e09cf274bca  10.0/RPMS/squid-2.5.STABLE9-1.1.100mdk.i586.rpm
 5738f9bf3c36cd6092cca77960580467  10.0/SRPMS/squid-2.5.STABLE9-1.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 fc15ab0245c05d3ee9222caf700da7c7  amd64/10.0/RPMS/squid-2.5.STABLE9-1.1.100mdk.amd64.rpm
 5738f9bf3c36cd6092cca77960580467  amd64/10.0/SRPMS/squid-2.5.STABLE9-1.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 258f532d766624e4f21936fa31150379  10.1/RPMS/squid-2.5.STABLE6-2.4.101mdk.i586.rpm
 f4a8b90704f752906ee1de301800eb17  10.1/RPMS/squid-2.5.STABLE9-1.1.101mdk.i586.rpm
 b6c79d25d11a58e589af08d0a20807a7  10.1/SRPMS/squid-2.5.STABLE9-1.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 df1d16c47e1fbe579633f26064a7c72e  x86_64/10.1/RPMS/squid-2.5.STABLE9-1.1.101mdk.x86_64.rpm
 b6c79d25d11a58e589af08d0a20807a7  x86_64/10.1/SRPMS/squid-2.5.STABLE9-1.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 81780136aa37f1ad1df50101b51914fa  10.2/RPMS/squid-2.5.STABLE9-1.1.102mdk.i586.rpm
 e81e7e584f36cc989cfc7c08a18b453c  10.2/SRPMS/squid-2.5.STABLE9-1.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 a8e6b2ebeafcae07a708256455508280  x86_64/10.2/RPMS/squid-2.5.STABLE9-1.1.102mdk.x86_64.rpm
 e81e7e584f36cc989cfc7c08a18b453c  x86_64/10.2/SRPMS/squid-2.5.STABLE9-1.1.102mdk.src.rpm

 Corporate Server 2.1:
 8044aed82f158b377ef1f987f14c02da  corporate/2.1/RPMS/squid-2.4.STABLE7-2.6.C21mdk.i586.rpm
 715494248752557eb0b718f2a4dd34c9  corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 faf3786d2a62f4b4776a79a3d9fe091a  x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.6.C21mdk.x86_64.rpm
 715494248752557eb0b718f2a4dd34c9  x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

 Corporate 3.0:
 6afc0bba2ef06f8a50bf3f24b4da9550  corporate/3.0/RPMS/squid-2.5.STABLE9-1.1.C30mdk.i586.rpm
 3ae337e1ba1ee16c09bdf0c699b3a754  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 8028593f7c4176ce4d5767a653faba3f  x86_64/corporate/3.0/RPMS/squid-2.5.STABLE9-1.1.C30mdk.x86_64.rpm
 3ae337e1ba1ee16c09bdf0c699b3a754  x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.1.C30mdk.src.rpm
 _______________________________________________________________________

 Bug IDs fixed (see http://qa.mandriva.com for more information):

  14209
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCchAHmqjQ0CJFipgRAtFiAJ4ksLnVAgjyCjGmzs76nyEnZltx+ACcCuoT
EPANs4aboX9BUnbFyBMutmM=
=f9cD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ