TSLSA-2001-0013 - Squid

From: Trustix Secure Linux Advisor (tsl_at_trustix.com)
Date: 07/19/01


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0013

Package name: Squid
Severity: Allows for unauthorized use of the web proxy
Date: 2001-07-19
Affected versions: TSL 1.01, 1.1, 1.2

- --------------------------------------------------------------------------

Problem description:
  From the squid list of changes:
    Versions 2.3.STABLE2 through 2.3.STABLE4 have a serious security bug
    when Squid is used in the 'httpd_accel' mode. If you configured
    httpd_accel_with_proxy off then any request to Squid is allowed.
    Malicious users may use your proxy to port-scan remote systems,
    forge email, and do other nasty things.

  Note that this is not the default configuration on TSL, but we still
  recommend that you update it.

Action:
  We recommend that all systems with this package installed are upgraded.

Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>

Automatic updates:
  Users of the SWUP tool, can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>

Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata page at
  <URI:http://www.trustix.net/errata/trustix-1.2/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2001/TSL-2001-0013-squid.asc.txt>

MD5sums of the packages:
- --------------------------------------------------------------------------
7c37a1e0b76120b84c0a305be9ec1a02 ./1.2/SRPMS/squid-2.3.STABLE5-1tr.src.rpm
b45ae433ad5c7c0f34b4a1820e2a2fb0 ./1.2/RPMS/squid-2.3.STABLE5-1tr.i586.rpm
7c37a1e0b76120b84c0a305be9ec1a02 ./1.1/SRPMS/squid-2.3.STABLE5-1tr.src.rpm
d03f8db68e6b8839fe677735a04562fd ./1.1/RPMS/squid-2.3.STABLE5-1tr.i586.rpm
- --------------------------------------------------------------------------

Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7VqEFwRTcg4BxxS0RAvApAJ9yVKE8s091yCcnmyKLGw3yI64yEgCeNWDS
AOlx4XvOynVZGHytFk1o4xA=
=1w0D
-----END PGP SIGNATURE-----



Relevant Pages

  • TSLSA-2002-0031 - squid
    ... A memory leak in the optional SNMP interface to Squid, ... Note that due to a packaging error in TSL 1.2 and earlier, ... These packages have been available for public testing for some time. ... This advisory along with all TSL packages are signed with the TSL sign key. ...
    (Bugtraq)
  • TSLSA-2001-0013 - Squid
    ... Package name: Squid ... Note that this is not the default configuration on TSL, ... We recommend that all systems with this package installed are upgraded. ... This advisory along with all TSL packages are signed with the TSL sign key. ...
    (Bugtraq)
  • TSLSA-2003-0033 - openssh
    ... Package name: openssh ... OpenSSH is OpenBSD's rework of the last free version of SSH, ... up to date in terms of security and features, ... The TSL team has choosen to backport these fixes into the various versions ...
    (Bugtraq)
  • TSLSA-2003-0003 - openssl
    ... Package name: openssl ... they are security related, using the redhat patches. ... All TSL updates are available from ... About Tawie Server Linux: ...
    (Bugtraq)
  • TSLSA-2003-0027 - nfs-utils
    ... Package name: nfs-utils ... The old nfs-utils packages shipped with TSL has a remotely exploitable ... About Trustix Secure Linux: ... date from day one using swup, ...
    (Bugtraq)