Skip to navigation

Security Advisory Low: squid security and bug fix update

Advisory: RHSA-2011:0545-1
Type: Security Advisory
Severity: Low
Issued on: 2011-05-19
Last updated on: 2011-05-19
Affected Products: Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2010-3072

Details

An updated squid package that fixes one security issue and two bugs is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.

It was found that string comparison functions in Squid did not properly
handle the comparisons of NULL and empty strings. A remote, trusted web
client could use this flaw to cause the squid daemon to crash via a
specially-crafted request. (CVE-2010-3072)

This update also fixes the following bugs:

* A small memory leak in Squid caused multiple "ctx: enter level" messages
to be logged to "/var/log/squid/cache.log". This update resolves the memory
leak. (BZ#666533)

* This erratum upgrades Squid to upstream version 3.1.10. This upgraded
version supports the Google Instant service and introduces various code
improvements. (BZ#639365)

Users of squid should upgrade to this updated package, which resolves these
issues. After installing this update, the squid service will be restarted
automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Server (v. 6)

SRPMS:
squid-3.1.10-1.el6.src.rpm
File outdated by:  RHBA-2014:0048
    MD5: b5ec598dc9bcf676ea21c0c1e21a45ce
SHA-256: ccd3d65cbc47c56fde480ded799648329a97be57aa1b9b2272de4158dd636f99
 
IA-32:
squid-3.1.10-1.el6.i686.rpm
File outdated by:  RHBA-2014:0048
    MD5: 776e2b28eaae0755764b130b7b927c92
SHA-256: 6531078e1aa1da2150908eaf199ddf878a4e739faf1c1673f5f7b16cebde5239
squid-debuginfo-3.1.10-1.el6.i686.rpm
File outdated by:  RHBA-2014:0048
    MD5: 922c0a8d349b30c36de2d421f3d09a8b
SHA-256: 7dc284d00d331a83df73966969003f6866c99e3aac0d42055bc379de92acd617
 
PPC:
squid-3.1.10-1.el6.ppc64.rpm
File outdated by:  RHBA-2014:0048
    MD5: 130fdca0381ab2c1c2d3cbdb4be5fa3e
SHA-256: a36ba4bc2d37e4cc193363c9e4b42999d4f39472e8df0fc75fbc78f416243bab
squid-debuginfo-3.1.10-1.el6.ppc64.rpm
File outdated by:  RHBA-2014:0048
    MD5: 4ee7693a43827989d72e7affba2308d2
SHA-256: 57fb3d4479f2ad7df43b85f9c5078d3d0f2c6622be62e715e69342baaee77cad
 
s390x:
squid-3.1.10-1.el6.s390x.rpm
File outdated by:  RHBA-2014:0048
    MD5: b38219d73673a02825a82e34314d881e
SHA-256: 10313eab2ce332ba4da16208cb3f5d0210860688222df80983a009f3ed9e90e1
squid-debuginfo-3.1.10-1.el6.s390x.rpm
File outdated by:  RHBA-2014:0048
    MD5: 88ca8ad1950a19a3f245dd87e6e7b53d
SHA-256: 84447392b97bb24908fe8eda3e12271df34b97e250ffbc2c3434042a99dfb9e2
 
x86_64:
squid-3.1.10-1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0048
    MD5: fc1108bf6b23c17caf4206a1e663dd3a
SHA-256: af3bfdaca46ca4ecf606127af885ecc297774da995825acd4a67e48a55d2f5ac
squid-debuginfo-3.1.10-1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0048
    MD5: 1ed7c96ce16e3b7de83a58f04c1a5e4d
SHA-256: 8690cdcc126c6e99bea2e62e878f5982506976faa6a0f6b1d13fcd7e62435036
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
squid-3.1.10-1.el6.src.rpm
File outdated by:  RHBA-2014:0048
    MD5: b5ec598dc9bcf676ea21c0c1e21a45ce
SHA-256: ccd3d65cbc47c56fde480ded799648329a97be57aa1b9b2272de4158dd636f99
 
IA-32:
squid-3.1.10-1.el6.i686.rpm
File outdated by:  RHBA-2014:0048
    MD5: 776e2b28eaae0755764b130b7b927c92
SHA-256: 6531078e1aa1da2150908eaf199ddf878a4e739faf1c1673f5f7b16cebde5239
squid-debuginfo-3.1.10-1.el6.i686.rpm
File outdated by:  RHBA-2014:0048
    MD5: 922c0a8d349b30c36de2d421f3d09a8b
SHA-256: 7dc284d00d331a83df73966969003f6866c99e3aac0d42055bc379de92acd617
 
x86_64:
squid-3.1.10-1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0048
    MD5: fc1108bf6b23c17caf4206a1e663dd3a
SHA-256: af3bfdaca46ca4ecf606127af885ecc297774da995825acd4a67e48a55d2f5ac
squid-debuginfo-3.1.10-1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0048
    MD5: 1ed7c96ce16e3b7de83a58f04c1a5e4d
SHA-256: 8690cdcc126c6e99bea2e62e878f5982506976faa6a0f6b1d13fcd7e62435036
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

630444 - CVE-2010-3072 Squid: Denial of service due internal error in string handling (SQUID-2010:3)
639365 - Rebase squid to version 3.1.10
666533 - small memleak in squid-3.1.4


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/