Skip to navigation

Security Advisory Low: squid security and bug fix update

Advisory: RHSA-2010:0221-4
Type: Security Advisory
Severity: Low
Issued on: 2010-03-30
Last updated on: 2010-03-30
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
CVEs (cve.mitre.org): CVE-2009-2855
CVE-2010-0308

Details

An updated squid package that fixes two security issues and several bugs is
now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.

A flaw was found in the way Squid processed certain external ACL helper
HTTP header fields that contained a delimiter that was not a comma. A
remote attacker could issue a crafted request to the Squid server, causing
excessive CPU use (up to 100%). (CVE-2009-2855)

Note: The CVE-2009-2855 issue only affected non-default configurations that
use an external ACL helper script.

A flaw was found in the way Squid handled truncated DNS replies. A remote
attacker able to send specially-crafted UDP packets to Squid's DNS client
port could trigger an assertion failure in Squid's child process, causing
that child process to exit. (CVE-2010-0308)

This update also fixes the following bugs:

* Squid's init script returns a non-zero value when trying to stop a
stopped service. This is not LSB compliant and can generate difficulties in
cluster environments. This update makes stopping LSB compliant. (BZ#521926)

* Squid is not currently built to support MAC address filtering in ACLs.
This update includes support for MAC address filtering. (BZ#496170)

* Squid is not currently built to support Kerberos negotiate
authentication. This update enables Kerberos authentication. (BZ#516245)

* Squid does not include the port number as part of URIs it constructs when
configured as an accelerator. This results in a 403 error. This update
corrects this behavior. (BZ#538738)

* the error_map feature does not work if the same handling is set also on
the HTTP server that operates in deflate mode. This update fixes this
issue. (BZ#470843)

All users of squid should upgrade to this updated package, which resolves
these issues. After installing this update, the squid service will be
restarted automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
squid-2.6.STABLE21-6.el5.src.rpm     MD5: ddf825ad940a85e641a473bcd5c22dd7
SHA-256: 4a41138aa701b063c8f42940a6fe71fce903bf887e23cef679eb3c7341b3af88
 
IA-32:
squid-2.6.STABLE21-6.el5.i386.rpm     MD5: bbc82c5c21d82c790dbb1bb90d300991
SHA-256: 5a604081736af42f5db893e26a2eca0aab56393a8319e8f06fd74a48dcce56a2
 
x86_64:
squid-2.6.STABLE21-6.el5.x86_64.rpm     MD5: c4c15daf7f06504c0fbe2b2fab7eb861
SHA-256: 2b4825db2766907b69ab7b084935d56b1cd2dad84d7f23a2ec891e9409a3b992
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
squid-2.6.STABLE21-6.el5.src.rpm     MD5: ddf825ad940a85e641a473bcd5c22dd7
SHA-256: 4a41138aa701b063c8f42940a6fe71fce903bf887e23cef679eb3c7341b3af88
 
IA-32:
squid-2.6.STABLE21-6.el5.i386.rpm     MD5: bbc82c5c21d82c790dbb1bb90d300991
SHA-256: 5a604081736af42f5db893e26a2eca0aab56393a8319e8f06fd74a48dcce56a2
 
IA-64:
squid-2.6.STABLE21-6.el5.ia64.rpm     MD5: 0926466ee0c49195ef3d5092d95a415e
SHA-256: 945160210dcb3eb8b63616e89cb370d088886d61bc06bb29b5ffb3dd9389c6a5
 
PPC:
squid-2.6.STABLE21-6.el5.ppc.rpm     MD5: 96a1ae2cd98ec8918ab33dc8fec3bb51
SHA-256: 051e6a236b305165eb4ead2e24d90b60cfd8c9fd9d49bcfe03f58dbfddaf1e79
 
s390x:
squid-2.6.STABLE21-6.el5.s390x.rpm     MD5: bca8238bc22fb436b39f7213360a9381
SHA-256: 9260cf56aab84d3abda46a01d25a4390fda43139fd00836af1b75e9cb9f650ae
 
x86_64:
squid-2.6.STABLE21-6.el5.x86_64.rpm     MD5: c4c15daf7f06504c0fbe2b2fab7eb861
SHA-256: 2b4825db2766907b69ab7b084935d56b1cd2dad84d7f23a2ec891e9409a3b992
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

496170 - Add arp filter option
516245 - negotiate support not enabled in squid (for kerberized sso)
518182 - CVE-2009-2855 DoS (100% CPU use) while processing certain external ACL helper HTTP headers
521926 - squid 'stop after stop' is not LSB compliant
538738 - Squid accelerator mode works only if port 80 is opened
556389 - CVE-2010-0308 squid: temporary DoS (assertion failure) triggered by truncated DNS packet (SQUID-2010:1)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/