Operating System:

[WIN][UNIX/Linux][Debian]

Published:

04 March 2009

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2009.0197 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                ESB-2009.0197 -- [Win][UNIX/Linux][Debian]
                 New squid3 packages fix denial of service
                               4 March 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              squid3
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-0478

Original Bulletin:    http://www.debian.org/security/2009/dsa-1732

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running Squid check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1732                    security@debian.org
http://www.debian.org/security/                           Steffen Joeris
March 03, 2009                        http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : squid3
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-0478

Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion
error in squid3, a full featured Web Proxy cache, which could lead to
a denial of service attack.


For the stable distribution (lenny), this problem has been fixed in
version 3.0.STABLE8-3, which was already included in the lenny release.

For the oldstable distribution (etch), this problem has been fixed in
version 3.0.PRE5-5+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 3.0.STABLE8-3.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Debian (oldstable)
- - ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5.orig.tar.gz
    Size/MD5 checksum:  3061614 35cc83c17afb17c4718ffc8d0d71bcae
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1.diff.gz
    Size/MD5 checksum:    13354 4993554616685c3596d9f96eb12d53c1
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1.dsc
    Size/MD5 checksum:      735 98fac484b56ec7ee5f69ad6336656e28

Architecture independent packages:

  http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb
    Size/MD5 checksum:   248732 2b26e7e28cefe82d5c7a94d7cdb73c74

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_alpha.deb
    Size/MD5 checksum:    66928 73ba707ff043dabf778d8839591ff00c
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_alpha.deb
    Size/MD5 checksum:   887986 246a0992ee6867cba9b5bd90ae3bb167
  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_alpha.deb
    Size/MD5 checksum:    71404 11af955fd5604bd2595fcce41e6d4632

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_amd64.deb
    Size/MD5 checksum:    64534 3bb28edd86a31e8fdfb37551631f3da8
  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_amd64.deb
    Size/MD5 checksum:    68328 798fa101699710b329935a78bf0cd0ea
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_amd64.deb
    Size/MD5 checksum:   792302 78aa4fae02843d22ee8784e5f1ee87cb

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_arm.deb
    Size/MD5 checksum:    63484 d6f2107d20788bf7dd07abb9b206172c
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_arm.deb
    Size/MD5 checksum:   769738 10d6ac7123424be28690c2030cbf5eb7
  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_arm.deb
    Size/MD5 checksum:    67272 2fdd845095b8fa0cb3d9574e5fdb4bcd

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_hppa.deb
    Size/MD5 checksum:    69974 604c4c10f65c185b89d1cff91136a32e
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_hppa.deb
    Size/MD5 checksum:   929058 a90594d57f20ea12d7f1cd05fab538a4
  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_hppa.deb
    Size/MD5 checksum:    66514 961004e071bff449058b1fcbbf11910c

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_i386.deb
    Size/MD5 checksum:    64442 8f93ed7979e6346f09240bda0f8397fb
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_i386.deb
    Size/MD5 checksum:   743098 85d673af4e6a9451acca3e519a057727
  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_i386.deb
    Size/MD5 checksum:    68450 b4b71002a819ed312b5049f52f6b26af

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_ia64.deb
    Size/MD5 checksum:  1185186 d0a0f2f96cdcaa68f64fb712e60e388a
  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_ia64.deb
    Size/MD5 checksum:    76120 59e1000682f659bd8c279cdbb03aabbe
  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_ia64.deb
    Size/MD5 checksum:    70344 70082e6f0d055c6fbc5bb659d291a59c

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_mipsel.deb
    Size/MD5 checksum:    70014 2776662dce0de56454d4e19525c616fa
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_mipsel.deb
    Size/MD5 checksum:   911840 16122bd2616f77ac6019dc142fe64157
  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_mipsel.deb
    Size/MD5 checksum:    66332 1e67fe985396c482e963876626975523

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_powerpc.deb
    Size/MD5 checksum:    69072 311a6d89f5e29f14319fde9d7aee364c
  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_powerpc.deb
    Size/MD5 checksum:   819050 28e74d4371d39fa553c1ecacb282c7a3
  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_powerpc.deb
    Size/MD5 checksum:    64818 35cbc5e8ebd78dc0294750d2e2d32d7a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_s390.deb
    Size/MD5 checksum:   787254 1303b619f1b56d7908fea5308c88669c
  http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_s390.deb
    Size/MD5 checksum:    65164 cc13b2a7b237ff84219a65760a8cca95
  http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_s390.deb
    Size/MD5 checksum:    69104 de5334329dbad3f151a6322b9ec6d2d0


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJrOarU5XKDemr/NIRAruiAJ4n/G69QyOXkYcxSXzgKuJtexgf1QCgwiKe
JqUm+FjVX2eyDn2e0zcSJdE=
=1HUa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJrb9vNVH5XJJInbgRAqbwAJ9Oy9qJrV8nEHPkPhXYXDjHWltjTgCfXCTF
k101RdCFHXVzPeb5a3IZicA=
=TL1G
-----END PGP SIGNATURE-----