An updated squid package that fixes a security vulnerability is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

- ---------------------------------------------------------------------                   Red Hat Security Advisory

Synopsis:          Moderate: squid security update
Advisory ID:       RHSA-2007:0131-01
Advisory URL:      https://access.redhat.com/errata/RHSA-2007:0131.html
Issue date:        2007-04-03
Updated on:        2007-04-03
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-1560 
- ---------------------------------------------------------------------1. Summary:

An updated squid package that fixes a security vulnerability is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects.

A denial of service flaw was found in the way Squid processed the TRACE
request method. It was possible for an attacker behind the Squid proxy
to issue a malformed TRACE request, crashing the Squid daemon child
process. As long as these requests were sent, it would prevent
legitimate usage of the proxy server. (CVE-2007-1560)

This flaw does not affect the version of Squid shipped in Red Hat
Enterprise Linux 2.1, 3, or 4.

Users of Squid should upgrade to this updated package, which contains a
backported patch and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at

5. Bug IDs fixed (http://bugzilla.redhat.com/):

233253 - CVE-2007-1560 Squid TRACE DoS

6. RPMs required:

RHEL Desktop Workstation (v. 5 client):

SRPMS:
bbbe184b6f26ec847ee14a3db3dcdb2e  squid-2.6.STABLE6-4.el5.src.rpm

i386:
2daca6e79b859f32057504b14655ce4f  squid-2.6.STABLE6-4.el5.i386.rpm
0cccd20c1ffb96e8be9b3e4b5f1ddb8c  squid-debuginfo-2.6.STABLE6-4.el5.i386.rpm

x86_64:
b636c16f03f747d185753ae600ccc8c6  squid-2.6.STABLE6-4.el5.x86_64.rpm
a28b81c4db7491dabef47130c7d006b1  squid-debuginfo-2.6.STABLE6-4.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
bbbe184b6f26ec847ee14a3db3dcdb2e  squid-2.6.STABLE6-4.el5.src.rpm

i386:
2daca6e79b859f32057504b14655ce4f  squid-2.6.STABLE6-4.el5.i386.rpm
0cccd20c1ffb96e8be9b3e4b5f1ddb8c  squid-debuginfo-2.6.STABLE6-4.el5.i386.rpm

ia64:
ba9e6a7ffad839c61d23bf192a9b20f1  squid-2.6.STABLE6-4.el5.ia64.rpm
1dbc1713e877685421c332530f68cfaf  squid-debuginfo-2.6.STABLE6-4.el5.ia64.rpm

ppc:
0d1bbc0e51d7ac6a63346063fa7a6fc6  squid-2.6.STABLE6-4.el5.ppc.rpm
5dba2eb601fe8b9425d6bdfa6592d776  squid-debuginfo-2.6.STABLE6-4.el5.ppc.rpm

s390x:
e40cb7de3f49967ba5a6ab35007a8915  squid-2.6.STABLE6-4.el5.s390x.rpm
1d2e5f3aacc0693785c2598b9dbeb87d  squid-debuginfo-2.6.STABLE6-4.el5.s390x.rpm

x86_64:
b636c16f03f747d185753ae600ccc8c6  squid-2.6.STABLE6-4.el5.x86_64.rpm
a28b81c4db7491dabef47130c7d006b1  squid-debuginfo-2.6.STABLE6-4.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://access.redhat.com/security/team/key#package

7. References:

https://www.cve.org/CVERecord?id=CVE-2007-1560
https://access.redhat.com/security/updates/classification#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://access.redhat.com/security/team/contact

Copyright 2007 Red Hat, Inc.