-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org email@example.com firstname.lastname@example.org OpenPKG-SA-2005.021 10-Sep-2005
Package: squid Vulnerability: denial of service OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= squid-2.5.10-20050709 >= squid-2.5.10-20050910
OpenPKG 2.4 <= squid-2.5.10-2.4.0 >= squid-2.5.10-2.4.1
OpenPKG 2.3 <= squid-2.5.9-2.3.0 >= squid-2.5.9-2.3.1
Dependent Packages: none
Description: Two Denial of Service (DoS) security issues were discovered in the Squid  Internet proxy. The first DoS is possible via certain aborted requests that trigger an assertion error related to "STORE_PENDING". The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2794  to the problem. The second problem allows remote attackers to cause a DoS via certain crafted requests and SSL timeouts. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2796  to the problem.
Please check whether you are affected by running "<prefix>/bin/openpkg rpm -q squid". If you have the "squid" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) .
Solution: Select the updated source RPM appropriate for your OpenPKG release , fetch it from the OpenPKG FTP service  or a mirror location, verify its integrity , build a corresponding binary RPM from it  and update your OpenPKG installation by applying the binary RPM . For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get squid-2.5.10-2.4.1.src.rpm ftp> bye $ <prefix>/bin/openpkg rpm -v --checksig squid-2.5.10-2.4.1.src.rpm $ <prefix>/bin/openpkg rpm --rebuild squid-2.5.10-2.4.1.src.rpm $ su - # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/squid-2.5.10-2.4.1.*.rpm
References:  http://www.squid-cache.org/  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2794  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2796  http://www.openpkg.org/tutorial.html#regular-source  http://www.openpkg.org/tutorial.html#regular-binary  ftp://ftp.openpkg.org/release/2.4/UPD/squid-2.5.10-2.4.1.src.rpm  ftp://ftp.openpkg.org/release/2.3/UPD/squid-2.5.9-2.3.1.src.rpm  ftp://ftp.openpkg.org/release/2.4/UPD/  ftp://ftp.openpkg.org/release/2.3/UPD/  http://www.openpkg.org/security.html#signature
For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <email@example.com>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory.
-----BEGIN PGP SIGNATURE----- Comment: OpenPKG <firstname.lastname@example.org>
iD8DBQFDIvf/gHWT4GPEy58RAnCnAKDrvmGNftc9jHI+PDzE9wDUHNja4QCffSdO Qa9zYyI7QLe9aZLBxbNyG5c= =2dyO -----END PGP SIGNATURE-----