Security Update: [CSSA-2002-SCO.7] OpenServer: multiple vulnerabilities in squid

[security () caldera com]

To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca

___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject:                OpenServer: multiple vulnerabilities in squid
Advisory number:        CSSA-2002-SCO.7
Issue date:             2002 March 4
Cross reference:
___________________________________________________________________________


1. Problem Description

        Multiple vulnerabilities were discovered in squid, including
        (but not limited to) the following issues:

        - htcp_port 0 now properly disables htcp
        - Fixed problem with certain non-anonymous ftp style URL's
        - SNMP bugfixes including several memory leaks
        - Fixed bug #255: core dump on SSL/CONNECT if access denied by
          miss_access
        - Fixed a coredump when creating FTP directories
        - Fixed a potential coredump situation on snmpwalk in certain
          configurations 
                  
        The full list is in the ChangeLog for Squid 2.4.STABLE4. The
        last released verison of squid for OpenServer was 2.4.STABLE1.


2. Vulnerable Supported Versions

        Operating System        Version         Affected Files
        ------------------------------------------------------------------
        OpenServer              <=5.0.6a        squid-2.4.STABLE4-VOLS.tar


3. Workaround

        None.


4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

        ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.7/
        ftp2.caldera.com/pub/skunkware/osr5/vols/squid-2.4.STABLE4-VOLS.tar


  4.2 Verification

        MD5 (squid-2.4.STABLE4-VOLS.tar) = d8a841049ce47d0dc02af7dd8ff19300


        md5 is available for download from
                ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        Download ftp2.caldera.com/pub/skunkware/osr5/vols/squid-2.4.STABLE4-VOLS.tar
        to the /tmp directory

        # cd /tmp
        # tar xvf squid-2.4.STABLE4-VOLS.tar

        Run the custom command, specify an install from media images,
        and specify the /tmp directory as the location of the images.


5. References

        This and other advisories are located at
                http://stage.caldera.com/support/security

        This advisory addresses Caldera Security internal incidents
        sr860951, fz520236, erg711970.


6. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on our website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera International products.


7. Acknowledgements

        The ftp vulnerability was discovered by Jouko Pynnonen
        <jouko () solutions fi>.

        Caldera would like to thank Henrik Nordstrom <hno () squid-cache org>
        and the Squid team for responding with alacrity.

___________________________________________________________________________

Attachment: _bin
Description: