Tuesday, July 28, 2009

[SECURITY] [DSA 1843-1] New squid3 packages fix denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1843-1 security@debian.org
http://www.debian.org/security/ Nico Golde
July 28th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : squid3
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : 538989
CVE ID : none assigned yet

It was discovered that squid3, a high-performance proxy caching server for
web clients, is prone to several denial of service attacks. Due to incorrect
bounds checking and insufficient validation while processing response and
request data an attacker is able to crash the squid daemon via crafted
requests or responses.


The squid package in the oldstable distribution (etch) is not affected
by this problem.

For the stable distribution (lenny), this problem has been fixed in
version 3.0.STABLE8-3+lenny1.

For the testing distribution (squeeze) and the unstable distribution (sid),
this problem will be fixed soon.


We recommend that you upgrade your squid3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1.dsc
Size/MD5 checksum: 1192 c13b5a7e1b159c587c343c93ffe3954f
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1.diff.gz
Size/MD5 checksum: 18440 9d092a60dd0fdd48493762783ade11bb
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8.orig.tar.gz
Size/MD5 checksum: 2443502 b5d26e1b7e2285bb60cf4de249113722

Architecture independent packages:

http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.STABLE8-3+lenny1_all.deb
Size/MD5 checksum: 290774 dbded6c5489997cb462a146187f8ee17

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_alpha.deb
Size/MD5 checksum: 94472 5bd96fdea0d63b8048cc962a35947cc7
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_alpha.deb
Size/MD5 checksum: 90352 fc84b58b9e69594240fe36e8999cb2c5
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_alpha.deb
Size/MD5 checksum: 1121878 960f3e7e69fc64012fb045188796d79b

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_amd64.deb
Size/MD5 checksum: 93164 05f7aef3d58fa379de7b697d6c205033
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_amd64.deb
Size/MD5 checksum: 1009536 6063788652160e51a4794ca3e16f92de
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_amd64.deb
Size/MD5 checksum: 89324 703674793864a7f922df9ce9edb98ec4

arm architecture (ARM)

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_arm.deb
Size/MD5 checksum: 979862 08d161d799ae9a5339d52286151e3178
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_arm.deb
Size/MD5 checksum: 87014 b9b50f3725f906075bdc5dc011381bf9
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_arm.deb
Size/MD5 checksum: 90196 84e98cfac9522c7cccf4d8670f5252be

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_armel.deb
Size/MD5 checksum: 930658 476e440432b2c80a9d08cd4399ad8172
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_armel.deb
Size/MD5 checksum: 91112 51cfde8ffd3b6bb72580e4325c2d4b6e
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_armel.deb
Size/MD5 checksum: 88124 6ff1a03aeb679b5730f59f0e965bbe74

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_hppa.deb
Size/MD5 checksum: 1164302 78c67658ce02fcfd787ab0e76d4a95f7
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_hppa.deb
Size/MD5 checksum: 89500 43118718af5808bd3bb7acb83f5ddc08
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_hppa.deb
Size/MD5 checksum: 93330 4a85a0dd699c2e1631167998d2c7806b

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_i386.deb
Size/MD5 checksum: 87030 a4a37bb05605ec21fc34f9021825bd16
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_i386.deb
Size/MD5 checksum: 90954 d8b8003626029cb1566cb9bd6906791e
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_i386.deb
Size/MD5 checksum: 934256 0b647a464eb9512dd4a263ad72c4c390

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_ia64.deb
Size/MD5 checksum: 99446 acd6b508daa799c6bb80017fa82da224
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_ia64.deb
Size/MD5 checksum: 93348 73bf9f2b4e793edd20253ac214cdd75a
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_ia64.deb
Size/MD5 checksum: 1494086 2c2d0a2e0e6317128c74b63167bc2c20

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_mips.deb
Size/MD5 checksum: 1077924 028edd9988841c6db805ce13278986bb
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_mips.deb
Size/MD5 checksum: 89490 1d77d8d677dbd76a88dfad48380f54dd
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_mips.deb
Size/MD5 checksum: 93056 f64134cdd9d81e77690d713d13b19758

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_powerpc.deb
Size/MD5 checksum: 89374 863719340796cdb85d75c6a50f8eee6d
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_powerpc.deb
Size/MD5 checksum: 1048922 1ec5a093ad1e2351caab60dc077c9d2b
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_powerpc.deb
Size/MD5 checksum: 93784 f2b0b7051a062914fcb5986f625b4d97

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_s390.deb
Size/MD5 checksum: 991366 bcd61bb018f750c6180dcfc6f13b4149
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_s390.deb
Size/MD5 checksum: 89092 3d6ba40020dd48810dab3fefb58db7fc
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_s390.deb
Size/MD5 checksum: 92868 bdb87ee5136e35e0e595396de922f33d

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny1_sparc.deb
Size/MD5 checksum: 91322 34c67de1aa5cd4d2981211db437e23e5
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny1_sparc.deb
Size/MD5 checksum: 962336 3e38bb008b070cd93e021839a77f4297
http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny1_sparc.deb
Size/MD5 checksum: 88012 bac94e124e33de0784633dd8e4b06dd7


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpvMhsACgkQHYflSXNkfP8AjQCbBKGXgQSO7fm6G4CIsQWmZckr
x54AnRyPvilg91lCMJ6tkXSHIF2lgtBP
=Nx5e
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment