8346215 2002-04-25 17:30 -0700 /120 rader/ <security@caldera.com> Sänt av: joel@lysator.liu.se Importerad: 2002-04-26 07:51 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: announce@lists.caldera.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <22073> Ärende: Security Update: [CSSA-2002-017.0] Linux: squid compressed DNS answer message boundary failure ------------------------------------------------------------ From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com Message-ID: <20020425173036.G26352@caldera.com> To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: squid compressed DNS answer message boundary failure Advisory number: CSSA-2002-017.0 Issue date: 2002 April 25 Cross reference: ______________________________________________________________________________ 1. Problem Description From Squid advisory SQUID-2002:2 : Error and boundary conditions were not checked when handling compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicious DNS server could craft a DNS reply that would cause Squid to exit with a SIGSEGV. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to squid-2.4.STABLE2-4.i386.rpm OpenLinux 3.1 Server prior to squid-2.4.STABLE2-4.i386.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages ce1fbb905f270ca49d9151b6b40507c9 squid-2.4.STABLE2-4.i386.rpm 4.3 Installation rpm -Fvh squid-2.4.STABLE2-4.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages b5001b17b2b841a6cd8b196d5789db64 squid-2.4.STABLE2-4.src.rpm 5. OpenLinux 3.1 Server 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 5.2 Packages 9a72c528ba333d87e1d6719340ee768b squid-2.4.STABLE2-4.i386.rpm 5.3 Installation rpm -Fvh squid-2.4.STABLE2-4.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 5.5 Source Packages cd38d3243263a06eba7c20c836709711 squid-2.4.STABLE2-4.src.rpm 6. References Specific references for this advisory: http://www.squid-cache.org/Advisories/SQUID-2002_2.txt Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr862189, fz520428, and erg711999. 7. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 8. Acknowledgements This vulnerability was discovered and researched by zen-parse <zen-parse@gmx.net>. ______________________________________________________________________________ (8346215) / <security@caldera.com>/-------(Ombruten) Bilaga (application/pgp-signature) i text 8346216 8346216 2002-04-25 17:30 -0700 /9 rader/ <security@caldera.com> Importerad: 2002-04-26 07:51 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: announce@lists.caldera.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <22074> Bilaga (text/plain) till text 8346215 Ärende: Bilaga till: Security Update: [CSSA-2002-017.0] Linux: squid compressed DNS answer message boundary failure ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzIn6wACgkQbluZssSXDTG7agCgoRgbo3mD/9UoWSggSZkr+Ldb ts4AoPt4k1z4thZG/cAzPCgYc079KpsB =1Rii -----END PGP SIGNATURE----- (8346216) / <security@caldera.com>/-----------------