Home > Security > Advisories

Advisories

Mandriva Advisories

Package name squid
Date January 23rd, 2007
Advisory ID MDKSA-2007:026
Affected versions CS3.0, MNF2.0, 2006.0, 2007.0, CS4.0
Synopsis Updated squid packages fix vulnerabilities

Problem Description

A vulnerability in squid was discovered that could be remotely
exploited by using a special ftp:// URL (CVE-2007-0247).

Another Denial of Service vulnerability was discovered in squid 2.6
that allows remote attackers to crash the server by causing an
external_acl_queue overload (CVE-2007-0248).

Additionally, a bug in squid 2.6 for max_user_ip handling in ntlm_auth
has been corrected.

The updated packages have been patched to correct this problem.

Updated Packages

Corporate Server 3.0

 95c1ca980282b1c49b50a8507c7fd82d  corporate/3.0/i586/squid-2.5.STABLE9-1.6.C30mdk.i586.rpm 
 7a65ca526a37b6850f4b33f1959d8595  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.6.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 5c575f5fb19da84a3c0f3ee92429c65c  corporate/3.0/x86_64/squid-2.5.STABLE9-1.6.C30mdk.x86_64.rpm 
 7a65ca526a37b6850f4b33f1959d8595  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.6.C30mdk.src.rpm

Multi Network Firewall 2.0

 6df4b826639660123bd8cbaf045b3efd  mnf/2.0/i586/squid-2.5.STABLE9-1.6.M20mdk.i586.rpm 
 0c6029fd8710939fa1e187acbf2e1c70  mnf/2.0/SRPMS/squid-2.5.STABLE9-1.6.M20mdk.src.rpm

Mandriva Linux 2006

 08e2ff96f1951e61a976ef60bbf6bea5  2006.0/i586/squid-2.5.STABLE10-10.3.20060mdk.i586.rpm
 59613107122da1dd6c0ce6724f563fed  2006.0/i586/squid-cachemgr-2.5.STABLE10-10.3.20060mdk.i586.rpm 
 96bdafa2207c70e46e2c6b958748b884  2006.0/SRPMS/squid-2.5.STABLE10-10.3.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 60c1f397b2ce5b283757b76da8c70df1  2006.0/x86_64/squid-2.5.STABLE10-10.3.20060mdk.x86_64.rpm
 b0ec419dcae41638d2f628f013c0e050  2006.0/x86_64/squid-cachemgr-2.5.STABLE10-10.3.20060mdk.x86_64.rpm 
 96bdafa2207c70e46e2c6b958748b884  2006.0/SRPMS/squid-2.5.STABLE10-10.3.20060mdk.src.rpm

Mandriva Linux 2007

 21dd893ce118c427d7b34656e41939ec  2007.0/i586/squid-2.6.STABLE1-4.2mdv2007.0.i586.rpm
 4021d4e323f1fc695aa956832ede5dbd  2007.0/i586/squid-cachemgr-2.6.STABLE1-4.2mdv2007.0.i586.rpm 
 6800d5a945187fca10197220d3068e01  2007.0/SRPMS/squid-2.6.STABLE1-4.2mdv2007.0.src.rpm

Mandriva Linux 2007/X86_64

 dd5ac455b5f94d7b5589d1ff80972dc3  2007.0/x86_64/squid-2.6.STABLE1-4.2mdv2007.0.x86_64.rpm
 e9968cd35f6c21988691982ab3d6c9dc  2007.0/x86_64/squid-cachemgr-2.6.STABLE1-4.2mdv2007.0.x86_64.rpm 
 6800d5a945187fca10197220d3068e01  2007.0/SRPMS/squid-2.6.STABLE1-4.2mdv2007.0.src.rpm

Corporate Server 4.0

 db2095e0e73bb231ffe40897b1666fbf  corporate/4.0/i586/squid-2.6.STABLE1-4.2.20060mlcs4.i586.rpm
 7fff9071842f6d87f10643a66d858373  corporate/4.0/i586/squid-cachemgr-2.6.STABLE1-4.2.20060mlcs4.i586.rpm 
 46198dfe46b61033924be7a1050bf1d7  corporate/4.0/SRPMS/squid-2.6.STABLE1-4.2.20060mlcs4.src.rpm

Corporate Server 4.0/X86_64

 a3431be4855f377ae0efaf7bf60c845f  corporate/4.0/x86_64/squid-2.6.STABLE1-4.2.20060mlcs4.x86_64.rpm
 7953d0208a17451f1465c69d244736fd  corporate/4.0/x86_64/squid-cachemgr-2.6.STABLE1-4.2.20060mlcs4.x86_64.rpm 
 46198dfe46b61033924be7a1050bf1d7  corporate/4.0/SRPMS/squid-2.6.STABLE1-4.2.20060mlcs4.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0248
http://www.squid-cache.org/bugs/show_bug.cgi?id=1792

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.