Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0197 -- [Win][UNIX/Linux][Debian] New squid3 packages fix denial of service 4 March 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: squid3 Publisher: Debian Operating System: Debian GNU/Linux 4.0 UNIX variants (UNIX, Linux, OSX) Windows Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2009-0478 Original Bulletin: http://www.debian.org/security/2009/dsa-1732 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running Squid check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1732 security@debian.org http://www.debian.org/security/ Steffen Joeris March 03, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : squid3 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-0478 Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion error in squid3, a full featured Web Proxy cache, which could lead to a denial of service attack. For the stable distribution (lenny), this problem has been fixed in version 3.0.STABLE8-3, which was already included in the lenny release. For the oldstable distribution (etch), this problem has been fixed in version 3.0.PRE5-5+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 3.0.STABLE8-3. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5.orig.tar.gz Size/MD5 checksum: 3061614 35cc83c17afb17c4718ffc8d0d71bcae http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1.diff.gz Size/MD5 checksum: 13354 4993554616685c3596d9f96eb12d53c1 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1.dsc Size/MD5 checksum: 735 98fac484b56ec7ee5f69ad6336656e28 Architecture independent packages: http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb Size/MD5 checksum: 248732 2b26e7e28cefe82d5c7a94d7cdb73c74 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_alpha.deb Size/MD5 checksum: 66928 73ba707ff043dabf778d8839591ff00c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_alpha.deb Size/MD5 checksum: 887986 246a0992ee6867cba9b5bd90ae3bb167 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_alpha.deb Size/MD5 checksum: 71404 11af955fd5604bd2595fcce41e6d4632 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_amd64.deb Size/MD5 checksum: 64534 3bb28edd86a31e8fdfb37551631f3da8 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_amd64.deb Size/MD5 checksum: 68328 798fa101699710b329935a78bf0cd0ea http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_amd64.deb Size/MD5 checksum: 792302 78aa4fae02843d22ee8784e5f1ee87cb arm architecture (ARM) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_arm.deb Size/MD5 checksum: 63484 d6f2107d20788bf7dd07abb9b206172c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_arm.deb Size/MD5 checksum: 769738 10d6ac7123424be28690c2030cbf5eb7 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_arm.deb Size/MD5 checksum: 67272 2fdd845095b8fa0cb3d9574e5fdb4bcd hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_hppa.deb Size/MD5 checksum: 69974 604c4c10f65c185b89d1cff91136a32e http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_hppa.deb Size/MD5 checksum: 929058 a90594d57f20ea12d7f1cd05fab538a4 http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_hppa.deb Size/MD5 checksum: 66514 961004e071bff449058b1fcbbf11910c i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_i386.deb Size/MD5 checksum: 64442 8f93ed7979e6346f09240bda0f8397fb http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_i386.deb Size/MD5 checksum: 743098 85d673af4e6a9451acca3e519a057727 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_i386.deb Size/MD5 checksum: 68450 b4b71002a819ed312b5049f52f6b26af ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_ia64.deb Size/MD5 checksum: 1185186 d0a0f2f96cdcaa68f64fb712e60e388a http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_ia64.deb Size/MD5 checksum: 76120 59e1000682f659bd8c279cdbb03aabbe http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_ia64.deb Size/MD5 checksum: 70344 70082e6f0d055c6fbc5bb659d291a59c mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_mipsel.deb Size/MD5 checksum: 70014 2776662dce0de56454d4e19525c616fa http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_mipsel.deb Size/MD5 checksum: 911840 16122bd2616f77ac6019dc142fe64157 http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_mipsel.deb Size/MD5 checksum: 66332 1e67fe985396c482e963876626975523 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_powerpc.deb Size/MD5 checksum: 69072 311a6d89f5e29f14319fde9d7aee364c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_powerpc.deb Size/MD5 checksum: 819050 28e74d4371d39fa553c1ecacb282c7a3 http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_powerpc.deb Size/MD5 checksum: 64818 35cbc5e8ebd78dc0294750d2e2d32d7a s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_s390.deb Size/MD5 checksum: 787254 1303b619f1b56d7908fea5308c88669c http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_s390.deb Size/MD5 checksum: 65164 cc13b2a7b237ff84219a65760a8cca95 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_s390.deb Size/MD5 checksum: 69104 de5334329dbad3f151a6322b9ec6d2d0 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJrOarU5XKDemr/NIRAruiAJ4n/G69QyOXkYcxSXzgKuJtexgf1QCgwiKe JqUm+FjVX2eyDn2e0zcSJdE= =1HUa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFJrb9vNVH5XJJInbgRAqbwAJ9Oy9qJrV8nEHPkPhXYXDjHWltjTgCfXCTF k101RdCFHXVzPeb5a3IZicA= =TL1G -----END PGP SIGNATURE-----