From: Immunix Security Team <security@wirex.com> To: security-alerts@linuxsecurity.com, bugtraq@securityfocus.com, linux-security@lists.securityportal.com, immunix-announce@immunix.org Subject: squid update -- Immunix OS 6.2, 7.0-beta, and 7.0 Date: Wed, 18 Jul 2001 17:51:10 -0700 ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: squid Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs fixed: immunix/1675 Date: Wed Jul 18 2001 Advisory ID: IMNX-2001-70-031-01 Author: Seth Arnold <sarnold@wirex.com> ----------------------------------------------------------------------- Description: Paul Nasrat has discovered a bug in squid's httpd_accel mode that allows users to use squid as a portscanner similar to ftp bounce scanning because squid does not properly use ACLs in the config file. Paul conjectures it may be possible to pass data through the squid proxy to communicate in a meaningful fashion, possibly bypassing network security settings. This update fixes this problem. References: http://www.securityfocus.com/archive/1/197727 Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/squid-2.3.STABLE4-10_StackGuard.i386.rpm Source packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/squid-2.3.STABLE4-10_StackGuard.src.rpm Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/squid-2.3.STABLE4-10_imnx.i386.rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/squid-2.3.STABLE4-10_imnx.src.rpm Immunix OS 6.2 md5sums: 6db7a8501226b8465c29ba04eceae67a RPMS/squid-2.3.STABLE4-10_StackGuard.i386.rpm 1d25dc57cc140c70a4ee956102556a10 SRPMS/squid-2.3.STABLE4-10_StackGuard.src.rpm Immunix OS 7.0 md5sums: 2d32e0beaf753f1a401e08ff16187398 RPMS/squid-2.3.STABLE4-10_imnx.i386.rpm 739f4ca67709575dcd4df01e4581b4e9 SRPMS/squid-2.3.STABLE4-10_imnx.src.rpm GPG verification: Our public key is available at <http://wirex.com/security/GPG_KEY>. *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerability disclosure protocol <http://www.wiretrip.net/rfp/policy.html>.