Search This Blog

Thursday, September 29, 2005

[SECURITY] [DSA 828-1] New squid packages fix denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 828-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 30th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : squid
Vulnerability : authentication handling
Problem type : remote
Debian-specific: no
CVE ID : CAN-2005-2917

Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 2.5.9-10sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 2.5.10-6.

We recommend that you upgrade your squid packages.

Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2.dsc
Size/MD5 checksum: 659 2392074c3f5bbafac714a0efe3f5413b
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2.diff.gz
Size/MD5 checksum: 343578 5b33f1d886a388f5b5e13adf6f8cba36
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9.orig.tar.gz
Size/MD5 checksum: 1384772 7290aa52ade1b5d5d3812e9089be13a9

Architecture independent components:

http://security.debian.org/pool/updates/main/s/squid/squid-common_2.5.9-10sarge2_all.deb
Size/MD5 checksum: 195092 380110271211412fec2a319dd55fabe5

Alpha architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_alpha.deb
Size/MD5 checksum: 943132 eb3fed6cf6e3014a3793a2c692d1a93d
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_alpha.deb
Size/MD5 checksum: 100092 c224ea4c569b7857c7b396de2216df92
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_alpha.deb
Size/MD5 checksum: 78174 7ed6d005ceef0d2d475ae3489c72ba82

AMD64 architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_amd64.deb
Size/MD5 checksum: 822522 b0c83496fdcfd0950235ee3d423b96a5
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_amd64.deb
Size/MD5 checksum: 98280 3351bd411a92695183de96d000f8b856
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_amd64.deb
Size/MD5 checksum: 76288 4452d3e5b62676aa76daf2b07a158887

ARM architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_arm.deb
Size/MD5 checksum: 783270 9a7085ed176606fdf1b46e267a3fd437
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_arm.deb
Size/MD5 checksum: 95822 7937e80db8f517e45fd5a85dc73ed205
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_arm.deb
Size/MD5 checksum: 75242 4248b0cf821444aa575d6d8650ae1c4e

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_i386.deb
Size/MD5 checksum: 767558 524c210937dd208f2dde7e400290060b
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_i386.deb
Size/MD5 checksum: 96890 e6a39d2018725412fa6142b2622f9712
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_i386.deb
Size/MD5 checksum: 75360 249ca7fb34dfefec019c7a7cc79ee8aa

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_ia64.deb
Size/MD5 checksum: 1074060 be6aff976b6e7fffcae8b701ea608583
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_ia64.deb
Size/MD5 checksum: 103614 332575bcf0a0c8137d7c3cbf9e768f76
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_ia64.deb
Size/MD5 checksum: 80686 6357f553a55dc3b27c9f69dd2840765c

HP Precision architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_hppa.deb
Size/MD5 checksum: 849592 af5a9a87759ac93cd52bddff4ad0b46f
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_hppa.deb
Size/MD5 checksum: 98076 a9509a1c205d88c5fa071a7de874c671
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_hppa.deb
Size/MD5 checksum: 77666 60e20ba927030b8713c5d057eae4d928

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_m68k.deb
Size/MD5 checksum: 705606 1742d32fc772f1dc5e765f492ef6b6c4
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_m68k.deb
Size/MD5 checksum: 95102 5b803c73e45ea2e47afe2729c573b305
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_m68k.deb
Size/MD5 checksum: 74588 74db688bbd0a2e5dc63fa7eb1bb1e84f

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_mips.deb
Size/MD5 checksum: 880286 57abb8cb6e105d6c288b65ea14f240c5
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_mips.deb
Size/MD5 checksum: 97596 079a2d1377ecc0cc72bb8258953a3de0
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_mips.deb
Size/MD5 checksum: 76784 e795094f66e38ef0852d5d12566db04e

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_mipsel.deb
Size/MD5 checksum: 883008 1e3ed4efc7ee2e02afb264b217d1e578
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_mipsel.deb
Size/MD5 checksum: 97670 9619665e833fd5579ca609cf403072cf
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_mipsel.deb
Size/MD5 checksum: 76884 a147494ae53e333ec10bcbb7bfed9fd0

PowerPC architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_powerpc.deb
Size/MD5 checksum: 817704 d723f8c63f9ece32a4e3c6ced55af7d5
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_powerpc.deb
Size/MD5 checksum: 96798 df6dfd74b399bf4f38ac7b2cfd848b75
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_powerpc.deb
Size/MD5 checksum: 75938 1ab64c11452cfc36f597f49a423377c3

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_s390.deb
Size/MD5 checksum: 816160 2a6605a8e65f4fa7035f1a9771139a9a
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_s390.deb
Size/MD5 checksum: 97178 ebbef048a05df68823ae4d614004937e
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_s390.deb
Size/MD5 checksum: 76598 ef92c29c34d0637d8c833427477cf866

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge2_sparc.deb
Size/MD5 checksum: 773748 9327db7709ccb329f7c83270037ea229
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge2_sparc.deb
Size/MD5 checksum: 95968 9ba038513e069f6e96d41cf3068daa3c
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge2_sparc.deb
Size/MD5 checksum: 75618 12254a07f2b7b7a461e8370743da5721

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDPMu9W5ql+IAeqTIRAoiAAJ9fxgBxsBLqNf91HLvADl8sDPn1hwCfcnUx
4UL5rjylWEZN3Af4OYM6boM=
=raQK
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: