SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Squid Vendors:   [Multiple Authors/Vendors]
(Caldera Issues Fix for OpenLinux) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
SecurityTracker Alert ID:  1003927
SecurityTracker URL:  http://securitytracker.com/id/1003927
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 30 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3 and 2.4 series
Description:   A denial of service vulnerability was reported in the Squid proxy caching server. A remote user can cause the proxy caching service to crash.

The following type of request that requires a directory to be created will cause the Squid proxy to crash:

PUT ftp://cgi-lexus:yGDgX9@[ftpserveraddress]/WEB-INF/1/2/1/ HTTP/1.1

The following log messages will be created as a result of this type of command:

Sep 10 14:17:11 azimuth (squid): xstrdup: tried to dup a NULL pointer!
Sep 10 14:17:11 azimuth squid[3027]: Squid Parent: child process 12742 exited due to signal 6
Sep 10 14:17:14 azimuth squid[3027]: Squid Parent: child process 12745 started

It is reported that the process will reload within a few seconds and return to normal operation.

Impact:   A remote user can cause the Squid proxy to crash.
Solution:   The vendor has released a fix.

For OpenLinux 3.1 Server:

The 3.1 version of this package is not yet available. An updated advisory will be published when the package is released.


For OpenLinux 3.1 Workstation:

The 3.1 version of this package is not yet available. An updated advisory will be published when the package is released.


For OpenLinux 3.1.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

The verification checksums are:

29ca65972c56e9a35a2181ce75bf23a2 RPMS/squid-2.4.STABLE2-3.i386.rpm
863ac8d6f199d9ebec518f85a6811026 SRPMS/squid-2.4.STABLE2-3.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh squid-2.4.STABLE2-3.i386.rpm


For OpenLinux 3.1.1 Workstation:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

The verification checksums are:

29ca65972c56e9a35a2181ce75bf23a2 RPMS/squid-2.4.STABLE2-3.i386.rpm
863ac8d6f199d9ebec518f85a6811026 SRPMS/squid-2.4.STABLE2-3.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh squid-2.4.STABLE2-3.i386.rpm

Vendor URL:  www.squid-cache.org/bugs/show_bug.cgi?id=233 (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  3.1, 3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Sep 21 2001 Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests



 Source Message Contents

Subject:  Security Update: [CSSA-2002-010.0] Linux: ftp vulnerability in squid


--1SQmhf2mF2YjsYvc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux: ftp vulnerability in squid
Advisory number: 	CSSA-2002-010.0
Issue date: 		2002, March 18
Cross reference:
______________________________________________________________________________


1. Problem Description

   If certain constructed ftp:// style URL's are received, then squid
   crashes, causing a denial of service and possibly remote execution of
   code.


2. Vulnerable Supported Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Server 3.1          All packages previous to
                                 squid-2.4.STABLE2-3              

   OpenLinux Workstation 3.1     All packages previous to
                                 squid-2.4.STABLE2-3

   OpenLinux Server 3.1.1        All packages previous to      
                                 squid-2.4.STABLE2-3           
   
   OpenLinux Workstation         All packages previous to      
   3.1.1                         squid-2.4.STABLE2-3           
   


3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.


4. OpenLinux 3.1 Server

    4.1 Location of Fixed Packages

         The 3.1 version of this package is not yet available. An updated
         advisory will be published when the package is released.
 

5. OpenLinux 3.1 Workstation

    5.1 Location of Fixed Packages

         The 3.1 version of this package is not yet available. An updated
         advisory will be published when the package is released.
 

6. OpenLinux 3.1.1 Server

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

   6.2 Verification

       29ca65972c56e9a35a2181ce75bf23a2  RPMS/squid-2.4.STABLE2-3.i386.rpm
       863ac8d6f199d9ebec518f85a6811026  SRPMS/squid-2.4.STABLE2-3.src.rpm
       

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh squid-2.4.STABLE2-3.i386.rpm
         

7. OpenLinux 3.1.1 Workstation

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

   7.2 Verification

       29ca65972c56e9a35a2181ce75bf23a2  RPMS/squid-2.4.STABLE2-3.i386.rpm
       863ac8d6f199d9ebec518f85a6811026  SRPMS/squid-2.4.STABLE2-3.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh squid-2.4.STABLE2-3.i386.rpm
         


8. References

   Specific references for this advisory:

	none


   Caldera OpenLinux security resources:

	http://www.caldera.com/support/security/index.html

   Caldera UNIX security resources:

	http://stage.caldera.com/support/security/



   This security fix closes Caldera incidents sr860954, fz520237,
   erg711971.


9. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through
   our security advisories.  Our advisories are a service to our
   customers intended to promote secure installation and use of
   Caldera International products.


10. Acknowledgements

   The ftp vulnerability was discovered by Jouko Pynnonen
   <jouko@solutions.fi>.
______________________________________________________________________________

--1SQmhf2mF2YjsYvc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjykw1AACgkQbluZssSXDTFGJACdE5wVuCWvT9zJ+VCyKX3zcj1a
W8MAoKPSBwfrJ8pivAbf8SdNYolRUdgO
=RSEs
-----END PGP SIGNATURE-----

--1SQmhf2mF2YjsYvc--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC