Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security Update: [CSSA-2002-010.0] Linux: ftp vulnerability in squid
From: security () caldera com
Date: Fri, 29 Mar 2002 11:41:05 -0800

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com

______________________________________________________________________________
                   Caldera International, Inc.  Security Advisory

Subject:                Linux: ftp vulnerability in squid
Advisory number:        CSSA-2002-010.0
Issue date:             2002, March 18
Cross reference:
______________________________________________________________________________


1. Problem Description

   If certain constructed ftp:// style URL's are received, then squid
   crashes, causing a denial of service and possibly remote execution of
   code.


2. Vulnerable Supported Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Server 3.1          All packages previous to
                                 squid-2.4.STABLE2-3              

   OpenLinux Workstation 3.1     All packages previous to
                                 squid-2.4.STABLE2-3

   OpenLinux Server 3.1.1        All packages previous to      
                                 squid-2.4.STABLE2-3           
   
   OpenLinux Workstation         All packages previous to      
   3.1.1                         squid-2.4.STABLE2-3           
   


3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.


4. OpenLinux 3.1 Server

    4.1 Location of Fixed Packages

         The 3.1 version of this package is not yet available. An updated
         advisory will be published when the package is released.
 

5. OpenLinux 3.1 Workstation

    5.1 Location of Fixed Packages

         The 3.1 version of this package is not yet available. An updated
         advisory will be published when the package is released.
 

6. OpenLinux 3.1.1 Server

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

   6.2 Verification

       29ca65972c56e9a35a2181ce75bf23a2  RPMS/squid-2.4.STABLE2-3.i386.rpm
       863ac8d6f199d9ebec518f85a6811026  SRPMS/squid-2.4.STABLE2-3.src.rpm
       

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh squid-2.4.STABLE2-3.i386.rpm
         

7. OpenLinux 3.1.1 Workstation

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

   7.2 Verification

       29ca65972c56e9a35a2181ce75bf23a2  RPMS/squid-2.4.STABLE2-3.i386.rpm
       863ac8d6f199d9ebec518f85a6811026  SRPMS/squid-2.4.STABLE2-3.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh squid-2.4.STABLE2-3.i386.rpm
         


8. References

   Specific references for this advisory:

        none


   Caldera OpenLinux security resources:

        http://www.caldera.com/support/security/index.html

   Caldera UNIX security resources:

        http://stage.caldera.com/support/security/



   This security fix closes Caldera incidents sr860954, fz520237,
   erg711971.


9. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through
   our security advisories.  Our advisories are a service to our
   customers intended to promote secure installation and use of
   Caldera International products.


10. Acknowledgements

   The ftp vulnerability was discovered by Jouko Pynnonen
   <jouko () solutions fi>.
______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2002-010.0] Linux: ftp vulnerability in squid security (Mar 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]