search.internet.com

Become a Marketplace Partner internet.commerce Be a Commerce Partner Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Technology Jobs LinuxToday Newsletters Subscribe News Subscribe PR Subscribe Security internet.com IT Developer Internet News Small Business Personal Technology International Search internet.com Advertise Corporate Info Newsletters Tech Jobs E-mail Offers

Current Newswire: Analyzing TCP Disconnects On Linux Or Unix Linux Evolution Reveals Origins of Curious Mathematical Phenomenon A Microsoft Veteran Embraces Open Source Using Spawner To Populate SQL Database WiMAX Deal "Clears" Linux for Takeoff Nitrogen: A Background Setter For Lightweight Desktop Manager Technology, Innovation and the Challenge of the Missing Standards Red Hat Chief: 'Cheaper Generally Wins' How Comcast Controls Sony's Internet TV Plans Growth in Internet Crime Calls for Growth in Punishment Unix/Red Hat Systems Adminsitrator The Computer Merchant, Ltd US-PA-Lansdale Post A Job | Post A Resume tinysoft Advisory: squid Jun 10, 2004, 03 :14 UTC (0 Talkback[s]) (1436 reads) Security Advisory #2004-010 Package name: squid Summary: Arbitary Code Execution Advisory ID: TSSA-2004-010 Date: 2004-06-09 Affected versions: tinysofa enterprise server 1.0 tinysofa enterprise server 1.0-U1 Security Fixes Description squid: Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache [0] could allow a remote attacker to execute arbitrary code. Squid Web Proxy Cache supports Basic, Digest and NTLM authentication. The vulnerability specifically exists within the NTLM authentication helper routine, ntlm_check_auth(), located in helpers/ntlm_auth/SMB/libntlmssp.c: char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length) { int rv; char pass[25] /*, encrypted_pass[40] */; char *domain =3D credentials; ... memcpy(pass, tmp.str, tmp.l); ... The function contains a buffer overflow vulnerability due to a lack of bounds checking on the values copied to the 'pass' variable. Both the 'tmp.str' and 'tmp.l' variables used in the memcpy() call contain user-supplied data. This problem has been assigned the name CAN-2004-0541 [1] by the=20 Common Vulnerabilities and Exposures (CVE) project. This problem was first reported by iDEFENSE [2].=20 References [0] http://http://www.squid-cache.org/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0541 [2] http://www.idefense.com/application/poi/display?id=3D107 Recommended Action We recommend that all systems with these packages installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location All tinysofa updates are available from <URI:http://http.tinysofa.org/pub/tinysofa/updates/> <URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/> Automatic Updates Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.tinysofa.org/support/> Verification This advisory is signed with the tinysofa security sign key. This key is available from: <URI:http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAEDCBB4B> All tinysofa packages are signed with the tinysofa stable sign key. This key is available from: <URI:http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x0F1240A2> The advisory is available from the tinysofa errata database at <URI:http://www.tinysofa.org/support/errata/> or directly at <URI:http://www.tinysofa.org/support/errata/2004/010.html> MD5sums Of The Packages 1fc7bd552435e8c6605d1cdd064d2edc squid-2.5.STABLE5-6ts.i586.rpm -- tinysofa Security Team <security at tinysofa dot org> No talkbacks posted.   Home | Search Talkbacks | Customize View    Top of Page   Enter your comments below: * Your Name: * Your Email Address: * Subject: CC: [will also send this talkback to an E-Mail address] * Comments: Tags allowed:<I>,<B> and <U>. See our talkback-policy for more about talkback content. Fields marked with * are required!

All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux, Apache and PHP Search: Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia Jupitermedia Corporate Info Legal Notices, Licensing, Reprints, Permissions, Privacy Policy. Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers Solutions Whitepapers and eBooks Symantec Whitepaper: Converging System and Data Protection for Complete Disaster Recovery Intel Whitepaper: Comparing Two- and Four-Socket Platforms for Server Virtualization IBM Solutions Brief: Go Green With IBM System xTM And Intel HP eBook: Simplifying SQL Server Management IBM Contest: Are You the Next Superstar? Join the "Search for the XML Superstar" Contest to Find Out Intel PDF: Quad-Core Impacts More Than the Data Center Intel PDF: Virtualization Delivers Data Center Efficiency Go Parallel Article: PDC 2008 in Review Avaya Article: Communication-Enabled Mashups: Empowering Both Business Owners and IT Intel Whitepaper: Building a Real-World Model to Assess Virtualization Platforms PDF: Intel Centrino Duo Processor Technology with Intel Core2 Duo Processor Microsoft Article: Build and Run Virtual Machines with Hyper-V Server 2008   Go Parallel Article: Q&A with a TBB Junkie IBM Whitepaper: Innovative Collaboration to Advance Your Business Internet.com eBook: Real Life Rails IBM eBook: The Pros and Cons of Outsourcing Internet.com eBook: Best Practices for Developing a Web Site IBM CXO Whitepaper: The 2008 Global CEO Study "The Enterprise of the Future" Avaya Article: Call Control XML in Action - A CCXML Auto Attendant IBM CXO Whitepaper: Unlocking the DNA of the Adaptable Workforce--The Global Human Capital Study 2008 Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers Symantec Whitepaper: Comprehensive Backup and Recovery of VMware Virtual Infrastructure MORE WHITEPAPERS, EBOOKS, AND ARTICLES Webcasts Live to Code Video: I Don't Buy Games, I Make Them Attend the IBM Service Management World Tour--Register now! Video: Intel Launches Data Center Efficiency Initiative Intel Podcast: Talking vPro Go Parallel Video: Intel(R) Threading Building Blocks: A New Method for Threading in C++ HP Video: Is Your Data Center Ready for a Real World Disaster? Microsoft Partner Portal Video: Microsoft Gold Certified Partners Build Successful Practices   HP On Demand Webcast: Virtualization in Action Go Parallel Video: Performance and Threading Tools for Game Developers Rackspace Hosting Center: Customer Videos Intel vPro Developer Virtual Bootcamp Live to Code Robotics Video: Libby the Hexapod HP Disaster-Proof Solutions eSeminar MORE WEBCASTS, PODCASTS, AND VIDEOS Downloads and eKits Microsoft Cloud Computing Tools Amyuni Download: PDF & XPS Engine for Your .NET and ActiveX Applications Acresso Download: Try InstallShield 2009 Microsoft Download: Silverlight 2 SDK Access Crystal Reports for Eclipse Basic Edition (Free) 30-Day Trial: SPAMfighter Exchange Module   Red Gate Download: SQL Toolbelt Iron Speed Designer Application Generator Microsoft Download: Silverlight 2 Developer Runtime (Windows) AJAX Control Toolkit MORE DOWNLOADS, EKITS, AND FREE TRIALS Tutorials and Demos VMware Online Virtualization Forum: Learn about the benefits of a virtual infrastructure, network with industry experts--Register today! Demo: Dual-Core Intel Itanium 2 Processor IBM IT Innovation Article: Green Servers Provide a Competitive Advantage   Microsoft Article: Making Designer/Developer Collaboration a Reality MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES