Home > Security > Advisories

Advisories

Mandriva Advisories

Package name squid
Date March 22nd, 2007
Advisory ID MDKSA-2007:068
Affected versions CS3.0, MNF2.0, 2006.0, 2007.0, CS4.0
Synopsis Updated squid packages fix DoS vulnerability

Problem Description

Due to an internal error Squid-2.6 is vulnerable to a denial of service
attack when processing the TRACE request method. This problem allows
any client trusted to use the service to perform a denial of service
attack on the Squid service.

Updated packages have been patched to address this issue.

Updated Packages

Corporate Server 3.0

 a986e19d7ba9623b4dda97a6bba72f79  corporate/3.0/i586/squid-2.5.STABLE9-1.7.C30mdk.i586.rpm 
 c19c9d0a546f9a49760ef0fdff1c3b20  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.7.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 d7f677e1f272e638ee960755459b1ded  corporate/3.0/x86_64/squid-2.5.STABLE9-1.7.C30mdk.x86_64.rpm 
 c19c9d0a546f9a49760ef0fdff1c3b20  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.7.C30mdk.src.rpm

Multi Network Firewall 2.0

 0eb2b836cb6c6f04b7bdf588a82de958  mnf/2.0/i586/squid-2.5.STABLE9-1.7.M20mdk.i586.rpm 
 bd364264eb1262e255b796714cbe2f58  mnf/2.0/SRPMS/squid-2.5.STABLE9-1.7.M20mdk.src.rpm

Mandriva Linux 2006

 e56b626c99d9fde6e6ce2e3229365507  2006.0/i586/squid-2.5.STABLE10-10.4.20060mdk.i586.rpm
 fe14ce71483e6d00471a9b157f1394ad  2006.0/i586/squid-cachemgr-2.5.STABLE10-10.4.20060mdk.i586.rpm 
 e3dca65061ce799f0a14843ff6c9494e  2006.0/SRPMS/squid-2.5.STABLE10-10.4.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 76f9515ef619dfef179bcd89195fe922  2006.0/x86_64/squid-2.5.STABLE10-10.4.20060mdk.x86_64.rpm
 2ef40237eb928e6c93c769b5a89e9436  2006.0/x86_64/squid-cachemgr-2.5.STABLE10-10.4.20060mdk.x86_64.rpm 
 e3dca65061ce799f0a14843ff6c9494e  2006.0/SRPMS/squid-2.5.STABLE10-10.4.20060mdk.src.rpm

Mandriva Linux 2007

 054f7d10fda6b956f9dc3631dfc6d4b0  2007.0/i586/squid-2.6.STABLE1-4.3mdv2007.0.i586.rpm
 cff3225c30326efd3b60d22a0834556a  2007.0/i586/squid-cachemgr-2.6.STABLE1-4.3mdv2007.0.i586.rpm 
 39da38403992ae890878163921074e66  2007.0/SRPMS/squid-2.6.STABLE1-4.3mdv2007.0.src.rpm

Mandriva Linux 2007/X86_64

 5eefe7e1c4c3220e38d7832690cb323d  2007.0/x86_64/squid-2.6.STABLE1-4.3mdv2007.0.x86_64.rpm
 6b0627995c722c40a0159979553a89ff  2007.0/x86_64/squid-cachemgr-2.6.STABLE1-4.3mdv2007.0.x86_64.rpm 
 39da38403992ae890878163921074e66  2007.0/SRPMS/squid-2.6.STABLE1-4.3mdv2007.0.src.rpm

Corporate Server 4.0

 6ab68dde26eb1474b501e657dffa8559  corporate/4.0/i586/squid-2.6.STABLE1-4.3.20060mlcs4.i586.rpm
 9bdf42003bc25b658a0a1f068161e88a  corporate/4.0/i586/squid-cachemgr-2.6.STABLE1-4.3.20060mlcs4.i586.rpm 
 37dc55633b7cf98ac69109074bf19eb9  corporate/4.0/SRPMS/squid-2.6.STABLE1-4.3.20060mlcs4.src.rpm

Corporate Server 4.0/X86_64

 0e5bb0f771ab24c33cd83df0b5ce6925  corporate/4.0/x86_64/squid-2.6.STABLE1-4.3.20060mlcs4.x86_64.rpm
 318eefc20e4b2e90f297edd4e0d3b9b4  corporate/4.0/x86_64/squid-cachemgr-2.6.STABLE1-4.3.20060mlcs4.x86_64.rpm 
 37dc55633b7cf98ac69109074bf19eb9  corporate/4.0/SRPMS/squid-2.6.STABLE1-4.3.20060mlcs4.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1560

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.