Mandrake Linux Security Advisory : squid (MDKSA-2002:016-1)

high Nessus Plugin ID 13924

Synopsis

The remote Mandrake Linux host is missing a security update.

Description

Three security issues were found in the 2.x versions of the Squid proxy server up to and including 2.4.STABLE3. The first is a memory leak in the optional SNMP interface to Squid which could allow a malicious user who can send packets to the Squid SNMP port to possibly perform a Denial of Service attack on ther server if the SNMP interface is enabled. The next is a buffer overflow in the implementation of ftp:// URLs where allowed users could possibly perform a DoS on the server, and may be able to trigger remote execution of code (which the authors have not yet confirmed). The final issue is with the HTCP interface which cannot be properly disabled from squid.conf; HTCP is enabled by default on Mandrake Linux systems.

Update :

The squid updates for all versions other than Mandrake Linux were incorrectly built with LDAP authentication which introduced a dependency on OpenLDAP. These new packages do not use LDAP authentication. The Single Network Firewall 7.2 package previously released did not use LDAP authentication, however rebuilding the source RPM package required LDAP to be installed. Single Network Firewall 7.2 users do not need to upgrade to these packages to have a properly function squid.

Solution

Update the affected squid package.

See Also

http://www.squid-cache.org/Advisories/SQUID-2002_1.txt

Plugin Details

Severity: High

ID: 13924

File Name: mandrake_MDKSA-2002-016.nasl

Version: 1.19

Type: local

Published: 7/31/2004

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:squid, cpe:/o:mandrakesoft:mandrake_linux:7.1, cpe:/o:mandrakesoft:mandrake_linux:7.2, cpe:/o:mandrakesoft:mandrake_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2/26/2002

Reference Information

CVE: CVE-2002-0067, CVE-2002-0068, CVE-2002-0069

MDKSA: 2002:016-1