Debians sikkerhedsbulletin

DSA-809-2 squid -- flere sårbarheder

Rapporteret den:
13. sep 2005
Berørte pakker:
squid
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 320035.
I Mitres CVE-ordbog: CVE-2005-2794, CVE-2005-2796.
Yderligere oplysninger:

Visse afbrudte forespørgsler der udløser en "assertion" i squid, den populære WWW-proxycache, kunne gøre det muligt for fjernangribere at forårsage et lammelsesangreb (denial of service). Denne opdatering retter også en regression forårsaget af DSA 751. For fuldstændighedens skyld er den oprindelige bulletins tekst medtaget herunder:

Flere sårbarheder er opdaget i Squid, den populære WWW-proxycache. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

  • CAN-2005-2794

    Visse afbrudte forespørgsler der udløser an "assert" der kunne gøre det muligt for fjernangribere at forårsage et lammelsesangreb (denial of service).

  • CAN-2005-2796

    Særligt fremstillede forespørgsler kunne forårsage et lammelsesangreb.

I den gamle stabile distribution (woody) er dette problem rettet i version 2.4.6-2woody10.

I den stabile distribution (sarge) er disse problemer rettet i version 2.5.9-10sarge1.

I den ustabile distribution (sid) er disse problemer rettet i version 2.5.10-5.

Vi anbefaler at du opgraderer din squid-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10.dsc
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10.diff.gz
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody10_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody10_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody10_sparc.deb

Debian GNU/Linux 3.1 (sarge)

Kildekode:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1.dsc
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1.diff.gz
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/s/squid/squid-common_2.5.9-10sarge1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.