int(1821)

Vulnerability Bulletins


Múltiples vulnerabilidades en Squid Proxy Cache

Vulnerability classification

Property Value
Confidence level Oficial
Impact Denegación de Servicio
Dificulty Experto
Required attacker level Acceso remoto sin cuenta a un servicio estandar

System information

Property Value
Affected manufacturer GNU/Linux
Affected software Squid Web Proxy Cache 2.5

Description

Se han descubierto múltiples vulnerabilidades en Squid Proxy Cache versión 2.5. Las vulnerabilidades son descritas a continuación:

- CAN-2004-2479: Se ha descubierto un fallo en la forma en que Squid versión 2.5 muestra mensajes de error. Un atacante remoto podría enviar una petición que contenga un nombre de host invalido lo que podría causar que Squid mostrara un mensaje de error previo.

- CAN-2005-2794 y CAN-2005-2796: Se han descubierto dos vulnerabilidades en Squid 2.5.STABLE10. Las vulnerabilidades residen en el procesado de peticiones malformadas. Un atacante remoto podría provocar una situación de denegación de servicio de Squid mediante una petición especialmente diseñada.

Solution



Actualización de software

Red Hat Linux
Red Hat Desktop (v. 3) / SRPMS, IA-32, x86_64
Red Hat Desktop (v. 4) / SRPMS, IA-32, x86_64
Red Hat Enterprise Linux AS (v. 2.1) / SRPMS, IA-32, x86_64
Red Hat Enterprise Linux AS (v. 3) / SRPMS, IA-32, IA-64, PPC, s390, s390x, x86_64
Red Hat Enterprise Linux AS (v. 4) / SRPMS, IA-32, IA-64, PPC, s390, s390x, x86_64
Red Hat Enterprise Linux ES (v. 2.1) / SRPMS, IA-32
Red Hat Enterprise Linux ES (v. 3) / SRPMS, IA-32, IA-64, x86_64
Red Hat Enterprise Linux ES (v. 4) / SRPMS, IA-32, IA-64, x86_64
Red Hat Enterprise Linux WS (v. 3) / SRPMS, IA-32, IA-64, x86_64
Red Hat Enterprise Linux WS (v. 4) / SRPMS, IA-32, IA-64, x86_64
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor / SRPMS, IA-64
https://rhn.redhat.com/

Mandriva Linux

Mandrakelinux 10.1
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/squid-2.5.STABLE9-1.3.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/squid-2.5.STABLE9-1.3.101mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/squid-2.5.STABLE9-1.3.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/squid-2.5.STABLE9-1.3.101mdk.src.rpm

Corporate Server 2.1
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/squid-2.4.STABLE7-2.8.C21mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.8.C21mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.8.C21mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.8.C21mdk.src.rpm

Corporate Server 3.0
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/squid-2.5.STABLE9-1.3.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.3.C30mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/squid-2.5.STABLE9-1.3.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.3.C30mdk.src.rpm

Multi Network Firewall 2.0
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/squid-2.5.STABLE9-1.3.M20mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/SRPMS/squid-2.5.STABLE9-1.3.M20mdk.src.rpm

Mandrivalinux LE2005
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/squid-2.5.STABLE9-1.3.102mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/SRPMS/squid-2.5.STABLE9-1.3.102mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/squid-2.5.STABLE9-1.3.102mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/SRPMS/squid-2.5.STABLE9-1.3.102mdk.src.rpm

Debian

Debian Linux 3.0
Source
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11.dsc
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11.diff.gz
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz
Alpha
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_alpha.deb
ARM
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_arm.deb
Intel IA-32
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_i386.deb
Intel IA-64
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_ia64.deb
HP Precision
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_hppa.deb
Motorola 680x0
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_m68k.deb
Big endian MIPS
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_mips.deb
Little endian MIPS
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_mipsel.deb
PowerPC
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_powerpc.deb
IBM S/390
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_s390.deb
Sun Sparc
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_sparc.deb

Debian Linux 3.1
Source
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1.dsc
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1.diff.gz
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9.orig.tar.gz
Architecture independent
http://security.debian.org/pool/updates/main/s/squid/squid-common_2.5.9-10sarge1_all.deb
Alpha
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_alpha.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_alpha.deb
AMD64
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_amd64.deb
ARM
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_arm.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_arm.deb
Intel IA-32
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_i386.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_i386.deb
Intel IA-64
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_ia64.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_ia64.deb
HP Precision
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_hppa.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_hppa.deb
Motorola 680x0
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_m68k.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_m68k.deb
Big endian MIPS
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_mips.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_mips.deb
Little endian MIPS
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_mipsel.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_mipsel.deb
PowerPC
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_powerpc.deb
IBM S/390
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_s390.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_s390.deb
Sun Sparc
http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_sparc.deb
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_sparc.deb

SUSE Linux

SUSE Linux 9.3
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/squid-2.5.STABLE9-4.4.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/squid-2.5.STABLE9-4.4.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/squid-2.5.STABLE9-4.4.src.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/x86_64/squid-2.5.STABLE9-4.4.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/x86_64/squid-2.5.STABLE9-4.4.x86_64.patch.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/src/squid-2.5.STABLE9-4.4.src.rpm

SUSE Linux 9.2
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/squid-2.5.STABLE6-6.15.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/squid-2.5.STABLE6-6.15.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/squid-2.5.STABLE6-6.15.src.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/squid-2.5.STABLE6-6.15.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/squid-2.5.STABLE6-6.15.x86_64.patch.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/src/squid-2.5.STABLE6-6.15.src.rpm

SUSE Linux 9.1
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.41.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.41.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/squid-2.5.STABLE5-42.41.src.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.41.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.41.x86_64.patch.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/squid-2.5.STABLE5-42.41.src.rpm

SUSE Linux 9.0
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-126.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-126.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/squid-2.5.STABLE3-126.src.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-126.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-126.x86_64.patch.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/squid-2.5.STABLE3-126.src.rpm

SGI
Advanced Linux Environment 3 / RPM / Patch 10255
ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS
Advanced Linux Environment 3 / SRPM / Patch 10255
ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS

SCO
UnixWare 7.1.4
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.44

Standar resources

Property Value
CVE CAN-2004-2479
CAN-2005-2794
CAN-2005-2796
BID 11865

Other resources

Squid Bugzilla Bug 1143
http://www.squid-cache.org/bugs/show_bug.cgi?id=1143

Red Hat Security Advisory (RHSA-2005:766-7)
https://rhn.redhat.com/errata/RHSA-2005-766.html

SUSE Security Announcement
http://www.novell.com/linux/security/advisories/2005_53_squid.html

Mandriva Security Advisories MDKSA-2005:162
http://www.mandriva.com/security/advisories?name=MDKSA-2005:162

Debian Security Advisory DSA 809-3
http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00199.html

SGI Security Advisory (20050903-02-U)
ftp://patches.sgi.com/support/free/security/advisories/20050903-02-U.asc

SCO Security Advisory (SCOSA-2005.44)
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.44/SCOSA-2005.44.txt

Version history

Version Comments Date
1.0 Aviso emitido 2005-09-19
1.1 Aviso emitido por SGI (20050903-02-U) 2005-10-03
1.2 Aviso emitido por Debian (DSA 809-2) 2005-10-04
1.3 Aviso actualizado por Debian (DSA 809-3) 2005-11-09
1.4 Aviso emitido por SCO (SCOSA-2005.44) 2005-11-28
Ministerio de Defensa
CNI
CCN
CCN-CERT