Bugtraq mailing list archives

Security Update: [CSSA-2002-SCO.26] OpenServer 5.0.6a : squid compressed DNS answer message boundary failure

From: security () caldera com
Date: Thu, 13 Jun 2002 16:59:03 -0700

To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca

______________________________________________________________________________

                Caldera International, Inc.  Security Advisory

Subject:                OpenServer 5.0.6a : squid compressed DNS answer message boundary failure
Advisory number:        CSSA-2002-SCO.26
Issue date:             2002 June 13
Cross reference:
______________________________________________________________________________


1. Problem Description

        From Squid advisory SQUID-2002:2 : Error and boundary
        conditions were not checked when handling compressed DNS
        answer messages in the internal DNS code (lib/rfc1035.c).
        A malicious DNS server could craft a DNS reply that would
        cause Squid to exit with a SIGSEGV.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.6a               /opt/K/SCO/Squid/2.4.6/*


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.6a

        4.1 Location of Fixed Binaries

        ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.26


        4.2 Verification

        MD5 (VOL.000.000) = 87accd0ac60bf509b86e66bb74062168
        MD5 (VOL.000.001) = 4f709bb2f81fbb72e46f9f3608bca6e6
        MD5 (VOL.000.002) = eb7964ff9190da6749341170ce779b12
        MD5 (VOL.000.003) = 8be5cc4f62eb83d65541c491cbaaad3c

        md5 is available for download from
                ftp://ftp.caldera.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        1) Download the VOL* files to the /tmp directory

        Run the custom command, specify an install from media images,
        and specify the /tmp directory as the location of the images.


5. References

        Specific references for this advisory:
                http://www.squid-cache.org/Advisories/SQUID-2002_2.txt

        Caldera security resources:
                http://www.caldera.com/support/security/index.html

        This security fix closes Caldera incidents sr862189, fz520428,
        erg712012.


6. Disclaimer

        Caldera International, Inc. is not responsible for the
        misuse of any of the information we provide on this website
        and/or through our security advisories. Our advisories are
        a service to our customers intended to promote secure
        installation and use of Caldera products.


7. Acknowledgements

        This vulnerability was discovered and researched by zen-parse
        <zen-parse () gmx net>.

______________________________________________________________________________

Attachment: _bin
Description:

Current thread:

Security Update: [CSSA-2002-SCO.26] OpenServer 5.0.6a : squid compressed DNS answer message boundary failure security (Jun 14)