Scientific Linux: CVE-2010-3072 Low Threat from Squid Service

Date: Wed, 1 Jun 2011 11:11:44 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Low: squid on SL6.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 
MIME-Version: 1.0

Synopsis: Low: squid security and bug fix update
Issue Date: 2011-05-19
CVE Numbers: CVE-2010-3072

Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.

It was found that string comparison functions in Squid did not properly
handle the comparisons of NULL and empty strings. A remote, trusted web
client could use this flaw to cause the squid daemon to crash via a
specially-crafted request. (CVE-2010-3072)

This update also fixes the following bugs:

* A small memory leak in Squid caused multiple "ctx: enter level" messages
to be logged to "/var/log/squid/cache.log". This update resolves the memory
leak. (BZ#666533)

* This erratum upgrades Squid to upstream version 3.1.10. This upgraded
version supports the Google Instant service and introduces various code
improvements. (BZ#639365)

Users of squid should upgrade to this updated package, which resolves these
issues. After installing this update, the squid service will be restarted
automatically.

SL6:
 x86_64
 squid-3.1.10-1.el6.x86_64.rpm
 squid-debuginfo-3.1.10-1.el6.x86_64.rpm
 i386
 squid-3.1.10-1.el6.i686.rpm
 squid-debuginfo-3.1.10-1.el6.i686.rpm

- Scientific Linux Development Team