DSA 1646-2: New squid packages fix array bounds check
Posted on: 10/11/2008 09:55 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1646-2 security@debian.org
http://www.debian.org/security/ Devin Carraway
October 11, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : squid
Vulnerability : array bounds check
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1612

In DSA 1646-1, an update was announced for a denial of service
vulnerability in squid, a caching proxy server. Due to an error in
packaging and in testing, the updated packages did not correct the
weakness. An updated release is available which corrects the error.
For reference, the original advisory text follows.

A weakness has been discovered in squid, a caching proxy server. The
flaw was introduced upstream in response to CVE-2007-6239, and
announced by Debian in DSA-1482-1. The flaw involves an
over-aggressive bounds check on an array resize, and could be
exploited by an authorized client to induce a denial of service
condition against squid.

For the stable distribution (etch), these problems have been fixed in
version 2.6.5-6etch4.

We recommend that you upgrade your squid packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4.dsc
Size/MD5 checksum: 669 6e919d707f76cb9d991744834369b876
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5.orig.tar.gz
Size/MD5 checksum: 1636886 26cc918028340dc8ceb9c0c4b988d717
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4.diff.gz
Size/MD5 checksum: 273381 54c814d93e2976176d0389bf22fb216a

Architecture independent packages:

http://security.debian.org/pool/updates/main/s/squid/squid-common_2.6.5-6etch4_all.deb
Size/MD5 checksum: 437254 46d12b52f401fcb70f7d951d66c5dade

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_alpha.deb
Size/MD5 checksum: 119764 28f3499402f9c411df1a2b0eee1769b4
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_alpha.deb
Size/MD5 checksum: 88450 a6df99cdff0c82901d9863223ad35ddb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_alpha.deb
Size/MD5 checksum: 793634 be22589c1b9d3ba1ab52156bf0a3353a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_amd64.deb
Size/MD5 checksum: 86346 dafc6a156fc1f80f91a3d11a50183c02
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_amd64.deb
Size/MD5 checksum: 116724 8334a79c13f1865c37f0e0897b7acbaf
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_amd64.deb
Size/MD5 checksum: 709000 5c9d16bfc10bd4fedb2f9eb61c9395ca

arm architecture (ARM)

http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_arm.deb
Size/MD5 checksum: 116122 184d2bd029ff022c9af03755bf72a3f5
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_arm.deb
Size/MD5 checksum: 86244 2fdfae956f99ff1162fbb4bf8441ca15
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_arm.deb
Size/MD5 checksum: 676602 07e3c76d7374ef1e91c20177ab1f4683

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_hppa.deb
Size/MD5 checksum: 748514 6750bc041313f8d8adb4e183555d3581
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_hppa.deb
Size/MD5 checksum: 88064 7dfa55ef0f63725163a1d011275382d4
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_hppa.deb
Size/MD5 checksum: 118700 9d8d75d7858601696c8d7d441e440d19

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_i386.deb
Size/MD5 checksum: 116550 031de91f40686ac7dc38e6de48615cb7
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_i386.deb
Size/MD5 checksum: 655150 eee50212e07c78bedda110fe3bfa566e
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_i386.deb
Size/MD5 checksum: 86152 4a7f52087fcee493d539e014ea21e3c4

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_ia64.deb
Size/MD5 checksum: 1067252 44f4997b71e6f8b0e5570d057715660a
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_ia64.deb
Size/MD5 checksum: 91522 d6fa05f3602bf87b2b3bd01b8cc426ef
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_ia64.deb
Size/MD5 checksum: 124394 2bb271010b2172abcd31c61dfd47e465

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_mips.deb
Size/MD5 checksum: 87494 ac30318c4ffedfad4a6d0801baf15474
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_mips.deb
Size/MD5 checksum: 740002 6bc6ff8558d06873f01032bbd0b36c3f
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_mips.deb
Size/MD5 checksum: 118308 d92424cf93987ebb392798fb6a1339e1

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_mipsel.deb
Size/MD5 checksum: 87434 afa29601429b35bfe722cb7b16fbb084
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_mipsel.deb
Size/MD5 checksum: 747568 da0371a76195861c8cff6d28366da1d6
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_mipsel.deb
Size/MD5 checksum: 117366 2c280932ebee5de58e669145b9ce59cc

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_powerpc.deb
Size/MD5 checksum: 86292 88c32419e15d93511ed6427957d6cdd6
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_powerpc.deb
Size/MD5 checksum: 712560 21e418ca3c982eb12a3d58a556b8682f
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_powerpc.deb
Size/MD5 checksum: 116520 67f7a1adde76c9c93520dbe84f5c9e99

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_s390.deb
Size/MD5 checksum: 116868 078fed27faaaf363efeb0d7f8e9ffc06
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_s390.deb
Size/MD5 checksum: 86738 ca0d927ffc1900e57c083bb59ac266b8
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_s390.deb
Size/MD5 checksum: 712040 cdf675694f3b01cce10d92d6dbc7f26c

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch4_sparc.deb
Size/MD5 checksum: 667416 7a51316d2f9b7029d889a091aea6b309
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch4_sparc.deb
Size/MD5 checksum: 116086 f10ece4d90708215b40f158ec37b1f28
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch4_sparc.deb
Size/MD5 checksum: 86472 65e2a79ff0f73c6b40efa3831149852a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI8EsOU5XKDemr/NIRAleEAKC15L99mIlvSGbVfvCnS00cJYAF/gCg3d8U
IGKCKkv4BRjj6keRPma6tl8=
=tVF0
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1646_2_new_squid_packages_fix_array_bounds_check.html)