New Squid packages available

New Squid packages are available which fix various security issues.

[Updated 16 April 2003]
Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

Squid is a high-performance proxy caching server. The following summary
describes the various issues found and their resolutions.

A problem was found in the code used by Squid to handle compressed DNS
replies where a malicious DNS server could cause Squid to crash. This bug
is fixed in the 2.4.STABLE6 release of Squid. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0163
to this issue. Note that Red Hat Linux 7.3 is not vulnerable to this issue.

Several buffer overflows have been found in the MSNT auth helper
(msnt_auth) when configured to use denyusers or allowusers access control
files.

Several buffer overflows were found in the gopher client of Squid. It
could be possible for a malicious gopher server to cause Squid to crash.

A problem was found in the handling of the FTP data channel, possibly
allowing abuse of the FTP proxy to bypass firewall rules or inject false
FTP replies.

Several possible buffer overflows were found in the code parsing FTP
directories, potentially allowing an untrusted FTP server to crash Squid.

Thanks go to Olaf Kirch and the Squid team for notifying us of the
problems, and to the Squid team for providing patches.

Note that Carp support has been disabled in this errata. If you need Carp
support, you can reconfigure it with --enable-carp and rebuild the packages.

All users of Squid are advised to upgrade to these errata packages which
contain patches to correct each of these issues.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0715
http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
http://www.squid-cache.org/Versions/v2/2.4/bugs/

DNS, FTP, gopher, Squid