Advisories

Mandriva Advisories

Package name	squid
Date	April 28th, 2005
Advisory ID	MDKSA-2005:078
Affected versions	10.0, 10.1, CS2.1, CS3.0, 10.2
Synopsis	Updated squid packages fix vulnerability

Problem Description

Squid 2.5, when processing the configuration file, parses empty Access
Control Lists (ACLs), including proxy_auth ACLs without defined auth
schemes, in a way that effectively removes arguments, which could allow
remote attackers to bypass intended ACLs if the administrator ignores
the parser warnings. (CAN-2005-0194)

Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape
Set-Cookie recommendations for handling cookies in caches, may cause
Set-Cookie headers to be sent to other users, which allows attackers to
steal the related cookies. (CAN-2005-0626)

Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial
of service (segmentation fault) by aborting the connection during a (1)
PUT or (2) POST request, which causes Squid to access previosuly freed
memory. (CAN-2005-0718)

A bug in the way Squid processes errors in the access control list was
also found. It is possible that an error in the access control list
could give users more access than intended. (CAN-2005-1345)

In addition, due to subtle bugs in the previous backported updates of
squid (Bugzilla #14209), all the squid-2.5 versions have been updated to
squid-2.5.STABLE9 with all the STABLE9 patches from the squid developers.

The updated packages are patched to fix these problems.

Updated Packages

Mandrakelinux 10.0

 19b0bdb45e358fbccc080e09cf274bca  10.0/RPMS/squid-2.5.STABLE9-1.1.100mdk.i586.rpm
5738f9bf3c36cd6092cca77960580467  10.0/SRPMS/squid-2.5.STABLE9-1.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64

 fc15ab0245c05d3ee9222caf700da7c7  amd64/10.0/RPMS/squid-2.5.STABLE9-1.1.100mdk.amd64.rpm
5738f9bf3c36cd6092cca77960580467  amd64/10.0/SRPMS/squid-2.5.STABLE9-1.1.100mdk.src.rpm

Mandrakelinux 10.1

 258f532d766624e4f21936fa31150379  10.1/RPMS/squid-2.5.STABLE6-2.4.101mdk.i586.rpm
f4a8b90704f752906ee1de301800eb17  10.1/RPMS/squid-2.5.STABLE9-1.1.101mdk.i586.rpm
b6c79d25d11a58e589af08d0a20807a7  10.1/SRPMS/squid-2.5.STABLE9-1.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 df1d16c47e1fbe579633f26064a7c72e  x86_64/10.1/RPMS/squid-2.5.STABLE9-1.1.101mdk.x86_64.rpm
b6c79d25d11a58e589af08d0a20807a7  x86_64/10.1/SRPMS/squid-2.5.STABLE9-1.1.101mdk.src.rpm

Corporate Server 2.1

 8044aed82f158b377ef1f987f14c02da  corporate/2.1/RPMS/squid-2.4.STABLE7-2.6.C21mdk.i586.rpm
715494248752557eb0b718f2a4dd34c9  corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 faf3786d2a62f4b4776a79a3d9fe091a  x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.6.C21mdk.x86_64.rpm
715494248752557eb0b718f2a4dd34c9  x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

Corporate Server 3.0

 6afc0bba2ef06f8a50bf3f24b4da9550  corporate/3.0/RPMS/squid-2.5.STABLE9-1.1.C30mdk.i586.rpm
3ae337e1ba1ee16c09bdf0c699b3a754  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.1.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 8028593f7c4176ce4d5767a653faba3f  x86_64/corporate/3.0/RPMS/squid-2.5.STABLE9-1.1.C30mdk.x86_64.rpm
3ae337e1ba1ee16c09bdf0c699b3a754  x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.1.C30mdk.src.rpm

Mandriva Linux LE2005

 81780136aa37f1ad1df50101b51914fa  10.2/RPMS/squid-2.5.STABLE9-1.1.102mdk.i586.rpm
e81e7e584f36cc989cfc7c08a18b453c  10.2/SRPMS/squid-2.5.STABLE9-1.1.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 a8e6b2ebeafcae07a708256455508280  x86_64/10.2/RPMS/squid-2.5.STABLE9-1.1.102mdk.x86_64.rpm
e81e7e584f36cc989cfc7c08a18b453c  x86_64/10.2/SRPMS/squid-2.5.STABLE9-1.1.102mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0194

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer