Debians sikkerhedsbulletin

DSA-1646-1 squid -- arraygrænsekontrol

Rapporteret den:
7. okt 2008
Berørte pakker:
squid
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2008-1612.
Yderligere oplysninger:

En svaghed er opdaget i squid, en cachende proxyserver. Fejlen blev introduceret opstrøms som reaktion på CVE-2007-6239, og annonceret af Debian i DSA-1482-1. Den involverer en overagressiv grænsekontrol på en størrelsesændring af et array, og kunne udnyttes af en autoriseret klient til at iværksætte en lammelsesangrebstilstand (denial of service) mod squid.

I den stabile distribution (etch), er disse problemer rettet i version 2.6.5-6etch2.

Vi anbefaler at du opgraderer dine squid-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5.orig.tar.gz
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2.diff.gz
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2.dsc
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/s/squid/squid-common_2.6.5-6etch2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_amd64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_amd64.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch2_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch2_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.