U radu programskog paketa Squid uočeni su sigurnosni propusti koje udaljeni napadač može iskoristiti za napad uskraćivanjem usluga (DoS) te izvršavanje zlonamjernog programskog koda.
Paket:
Squid 3.x
Operacijski sustavi:
Mandriva Linux 2009.0, Mandriva Linux 2010.1, Mandriva Linux Enterprise Server 5.0
Kritičnost:
6.5
Problem:
pogreška u programskoj funkciji, preljev međuspremnika
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:150
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squid
Date : October 15, 2011
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been discovered and corrected in squid:
Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher
reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and
3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial
of service (memory corruption and daemon restart) or possibly have
unspecified other impact via a long line in a response. NOTE: This
issue exists because of a CVE-2005-0094 regression (CVE-2011-3205).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
4aec20d8fd59b7aceb7a6a9274b287db 2009.0/i586/squid-3.0-22.5mdv2009.0.i586.rpm
d22e9f4dc350a0a9eb21d37874b5e3b1
2009.0/i586/squid-cachemgr-3.0-22.5mdv2009.0.i586.rpm
75fc6a45c746b00119e613cbf4392942 2009.0/SRPMS/squid-3.0-22.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
30243c9f54b656394b8b7ddbe7cd4791
2009.0/x86_64/squid-3.0-22.5mdv2009.0.x86_64.rpm
c0dc39d1e176109cac25e3c60bb0ad58
2009.0/x86_64/squid-cachemgr-3.0-22.5mdv2009.0.x86_64.rpm
75fc6a45c746b00119e613cbf4392942 2009.0/SRPMS/squid-3.0-22.5mdv2009.0.src.rpm
Mandriva Linux 2010.1:
0da32480f47832e3751e0d06acf630ce 2010.1/i586/squid-3.1-14.2mdv2010.2.i586.rpm
227cb00c733ebfa5338a74d76a698865
2010.1/i586/squid-cachemgr-3.1-14.2mdv2010.2.i586.rpm
dd1dee3113db5cd60bb3343ebfd216ab 2010.1/SRPMS/squid-3.1-14.2mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
ae236c628eea53d0165adf3f855fd8b0
2010.1/x86_64/squid-3.1-14.2mdv2010.2.x86_64.rpm
89db57aa2a0146d85792b642dd17f05d
2010.1/x86_64/squid-cachemgr-3.1-14.2mdv2010.2.x86_64.rpm
dd1dee3113db5cd60bb3343ebfd216ab 2010.1/SRPMS/squid-3.1-14.2mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
eb2bfc4a261922c5fc51b031db1b1008 mes5/i586/squid-3.0-22.5mdvmes5.2.i586.rpm
270afc45addd597391ba0bda571d25d9
mes5/i586/squid-cachemgr-3.0-22.5mdvmes5.2.i586.rpm
6595af1c5f21be921f9b3c85dc70ed98 mes5/SRPMS/squid-3.0-22.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
8eac48174ec86a8f4fd57b63c9df9458
mes5/x86_64/squid-3.0-22.5mdvmes5.2.x86_64.rpm
a9119fac6d475928d95eb3baef99f908
mes5/x86_64/squid-cachemgr-3.0-22.5mdvmes5.2.x86_64.rpm
6595af1c5f21be921f9b3c85dc70ed98 mes5/SRPMS/squid-3.0-22.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOmat0mqjQ0CJFipgRAknuAKDzQPTFe/ZTwqdmpFH/8GxtQ/NCIgCcDgyA
kGmLpDAe1wkpduRLDzeROxY=
=rAvw
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke