[Security Announce] [ MDKSA-2007:068 ] - Updated squid packages fix DoS vulnerability
Posted on: 03/22/2007 10:30 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:068
http://www.mandriva.com/security/
_______________________________________________________________________

Package : squid
Date : March 22, 2007
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Due to an internal error Squid-2.6 is vulnerable to a denial of service
attack when processing the TRACE request method. This problem allows
any client trusted to use the service to perform a denial of service
attack on the Squid service.

Updated packages have been patched to address this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1560
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
e56b626c99d9fde6e6ce2e3229365507 2006.0/i586/squid-2.5.STABLE10-10.4.20060mdk.i586.rpm
fe14ce71483e6d00471a9b157f1394ad 2006.0/i586/squid-cachemgr-2.5.STABLE10-10.4.20060mdk.i586.rpm
e3dca65061ce799f0a14843ff6c9494e 2006.0/SRPMS/squid-2.5.STABLE10-10.4.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
76f9515ef619dfef179bcd89195fe922 2006.0/x86_64/squid-2.5.STABLE10-10.4.20060mdk.x86_64.rpm
2ef40237eb928e6c93c769b5a89e9436 2006.0/x86_64/squid-cachemgr-2.5.STABLE10-10.4.20060mdk.x86_64.rpm
e3dca65061ce799f0a14843ff6c9494e 2006.0/SRPMS/squid-2.5.STABLE10-10.4.20060mdk.src.rpm

Mandriva Linux 2007.0:
054f7d10fda6b956f9dc3631dfc6d4b0 2007.0/i586/squid-2.6.STABLE1-4.3mdv2007.0.i586.rpm
cff3225c30326efd3b60d22a0834556a 2007.0/i586/squid-cachemgr-2.6.STABLE1-4.3mdv2007.0.i586.rpm
39da38403992ae890878163921074e66 2007.0/SRPMS/squid-2.6.STABLE1-4.3mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
5eefe7e1c4c3220e38d7832690cb323d 2007.0/x86_64/squid-2.6.STABLE1-4.3mdv2007.0.x86_64.rpm
6b0627995c722c40a0159979553a89ff 2007.0/x86_64/squid-cachemgr-2.6.STABLE1-4.3mdv2007.0.x86_64.rpm
39da38403992ae890878163921074e66 2007.0/SRPMS/squid-2.6.STABLE1-4.3mdv2007.0.src.rpm

Corporate 3.0:
a986e19d7ba9623b4dda97a6bba72f79 corporate/3.0/i586/squid-2.5.STABLE9-1.7.C30mdk.i586.rpm
c19c9d0a546f9a49760ef0fdff1c3b20 corporate/3.0/SRPMS/squid-2.5.STABLE9-1.7.C30mdk.src.rpm

Corporate 3.0/X86_64:
d7f677e1f272e638ee960755459b1ded corporate/3.0/x86_64/squid-2.5.STABLE9-1.7.C30mdk.x86_64.rpm
c19c9d0a546f9a49760ef0fdff1c3b20 corporate/3.0/SRPMS/squid-2.5.STABLE9-1.7.C30mdk.src.rpm

Corporate 4.0:
6ab68dde26eb1474b501e657dffa8559 corporate/4.0/i586/squid-2.6.STABLE1-4.3.20060mlcs4.i586.rpm
9bdf42003bc25b658a0a1f068161e88a corporate/4.0/i586/squid-cachemgr-2.6.STABLE1-4.3.20060mlcs4.i586.rpm
37dc55633b7cf98ac69109074bf19eb9 corporate/4.0/SRPMS/squid-2.6.STABLE1-4.3.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
0e5bb0f771ab24c33cd83df0b5ce6925 corporate/4.0/x86_64/squid-2.6.STABLE1-4.3.20060mlcs4.x86_64.rpm
318eefc20e4b2e90f297edd4e0d3b9b4 corporate/4.0/x86_64/squid-cachemgr-2.6.STABLE1-4.3.20060mlcs4.x86_64.rpm
37dc55633b7cf98ac69109074bf19eb9 corporate/4.0/SRPMS/squid-2.6.STABLE1-4.3.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
0eb2b836cb6c6f04b7bdf588a82de958 mnf/2.0/i586/squid-2.5.STABLE9-1.7.M20mdk.i586.rpm
bd364264eb1262e255b796714cbe2f58 mnf/2.0/SRPMS/squid-2.5.STABLE9-1.7.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGAsammqjQ0CJFipgRAgWnAJsE+IF5RHjBEyO6xZX290rMpkF8swCg4vOF
XbU1oT9mGL+HAUUT/KlBxDQ=
=9mdl
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007068__updated_squid_packages_fix_dos_vulnerability.html)