Security Advisory Moderate: squid security update

Advisory: RHSA-2007:0131-2
Type: Security Advisory
Severity: Moderate
Issued on: 2007-04-03
Last updated on: 2007-04-03
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
OVAL: com.redhat.rhsa-20070131.xml
CVEs (cve.mitre.org): CVE-2007-1560

Details

An updated squid package that fixes a security vulnerability is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects.

A denial of service flaw was found in the way Squid processed the TRACE
request method. It was possible for an attacker behind the Squid proxy
to issue a malformed TRACE request, crashing the Squid daemon child
process. As long as these requests were sent, it would prevent
legitimate usage of the proxy server. (CVE-2007-1560)

This flaw does not affect the version of Squid shipped in Red Hat
Enterprise Linux 2.1, 3, or 4.

Users of Squid should upgrade to this updated package, which contains a
backported patch and is not vulnerable to this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
squid-2.6.STABLE6-4.el5.src.rpm
File outdated by:  RHBA-2009:0126		     bbbe184b6f26ec847ee14a3db3dcdb2e
 
IA-32:
squid-2.6.STABLE6-4.el5.i386.rpm
File outdated by:  RHBA-2009:0126		     2daca6e79b859f32057504b14655ce4f
 
x86_64:
squid-2.6.STABLE6-4.el5.x86_64.rpm
File outdated by:  RHBA-2009:0126		     b636c16f03f747d185753ae600ccc8c6
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
squid-2.6.STABLE6-4.el5.src.rpm
File outdated by:  RHBA-2009:0126		     bbbe184b6f26ec847ee14a3db3dcdb2e
 
IA-32:
squid-2.6.STABLE6-4.el5.i386.rpm
File outdated by:  RHBA-2009:0126		     2daca6e79b859f32057504b14655ce4f
 
IA-64:
squid-2.6.STABLE6-4.el5.ia64.rpm
File outdated by:  RHBA-2009:0126		     ba9e6a7ffad839c61d23bf192a9b20f1
 
PPC:
squid-2.6.STABLE6-4.el5.ppc.rpm
File outdated by:  RHBA-2009:0126		     0d1bbc0e51d7ac6a63346063fa7a6fc6
 
s390x:
squid-2.6.STABLE6-4.el5.s390x.rpm
File outdated by:  RHBA-2009:0126		     e40cb7de3f49967ba5a6ab35007a8915
 
x86_64:
squid-2.6.STABLE6-4.el5.x86_64.rpm
File outdated by:  RHBA-2009:0126		     b636c16f03f747d185753ae600ccc8c6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

233253 - CVE-2007-1560 Squid TRACE DoS


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1560
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/