[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) squid update -- Immunix OS 6.2, 7.0-beta, and 7.0



[Squid is vulnerable to being misused in reverse proxy mode.  All
distributions -- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk"
Content-Disposition: inline
Return-Path: <bugtraq-return-1033-raju=linux-delhi.org@xxxxxxxxxxxxxxxxx>
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 31551 invoked from network); 19 Jul 2001 02:33:15 -0000
Message-ID: <20010718175110.R6541@xxxxxxxxx>
Mail-Followup-To: security-alerts@xxxxxxxxxxxxxxxxx,
	bugtraq@xxxxxxxxxxxxxxxxx, linux-security@xxxxxxxxxxxxxxxxxxxxxxxx,
	immunix-announce@xxxxxxxxxxx
User-Agent: Mutt/1.2.5i
From: Immunix Security Team <security@xxxxxxxxx>
To: security-alerts@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx,
        linux-security@xxxxxxxxxxxxxxxxxxxxxxxx, immunix-announce@xxxxxxxxxxx
Subject: squid update -- Immunix OS 6.2, 7.0-beta, and 7.0
Date: Wed, 18 Jul 2001 17:51:10 -0700

--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

-----------------------------------------------------------------------
	Immunix OS Security Advisory

Packages updated:	squid
Affected products:	Immunix OS 6.2, 7.0-beta, and 7.0
Bugs fixed:		immunix/1675
Date:			Wed Jul 18 2001
Advisory ID:		IMNX-2001-70-031-01
Author:			Seth Arnold <sarnold@xxxxxxxxx>
-----------------------------------------------------------------------

Description:
  Paul Nasrat has discovered a bug in squid's httpd_accel mode that
  allows users to use squid as a portscanner similar to ftp bounce
  scanning because squid does not properly use ACLs in the config file.
  Paul conjectures it may be possible to pass data through the squid
  proxy to communicate in a meaningful fashion, possibly bypassing
  network security settings.

  This update fixes this problem.

  References: http://www.securityfocus.com/archive/1/197727

Package names and locations:
  Precompiled binary packages for Immunix 6.2 are available at:
  http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/squid-2.3.STABLE4-=
10_StackGuard.i386.rpm

  Source packages for Immunix 6.2 are available at:
  http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/squid-2.3.STABLE4=
-10_StackGuard.src.rpm

  Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/squid-2.3.STABLE4-=
10_imnx.i386.rpm

  Source package for Immunix 7.0-beta and 7.0 is available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/squid-2.3.STABLE4=
-10_imnx.src.rpm

Immunix OS 6.2 md5sums:
  6db7a8501226b8465c29ba04eceae67a  RPMS/squid-2.3.STABLE4-10_StackGuard.i3=
86.rpm
  1d25dc57cc140c70a4ee956102556a10  SRPMS/squid-2.3.STABLE4-10_StackGuard.s=
rc.rpm

Immunix OS 7.0 md5sums:
  2d32e0beaf753f1a401e08ff16187398  RPMS/squid-2.3.STABLE4-10_imnx.i386.rpm
  739f4ca67709575dcd4df01e4581b4e9  SRPMS/squid-2.3.STABLE4-10_imnx.src.rpm

GPG verification:                                                          =
    =20
  Our public key is available at <http://wirex.com/security/GPG_KEY>.      =
    =20
  *** NOTE *** This key is different from the one used in advisories       =
    =20
  IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

Contact information:
  To report vulnerabilities, please contact security@xxxxxxxxxx WireX=20
  attempts to conform to the RFP vulnerability disclosure protocol
  <http://www.wiretrip.net/rfp/policy.html>.

--UugvWAfsgieZRqgk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjtWLv0ACgkQVQcWL60UVMuAnACfTA3TbRQtUqMmA1eVRV4VLDrv
7poAmwV+c3j8EyoXSajg+oJKIymcXrhr
=/Ox4
-----END PGP SIGNATURE-----

--UugvWAfsgieZRqgk--

------------------------------

End of this Digest
******************

-- 
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/