-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: REVISED: squid compressed DNS answer message boundary failure
Advisory number: 	CSSA-2002-017.1
Issue date: 		2002 May 31
Cross reference:
______________________________________________________________________________


1. Problem Description

	From the Squid team advisory SQUID-2002:2 : Error and boundary
	conditions were not checked when handling compressed DNS answer
	messages in the internal DNS code (lib/rfc1035.c). A malicious
	DNS server could craft a DNS reply that would cause Squid to
	exit with a SIGSEGV.

	This rpm update resolves problems related to the previous
	fix's use of a wrong path: /etc/init.d.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to squid-2.4.STABLE2-4.1.i386.rpm
	OpenLinux 3.1 Server		prior to squid-2.4.STABLE2-4.1.i386.rpm


3. Solution

	The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

	4.2 Packages

	28831a21032600d939b1397cb7ae5f90	squid-2.4.STABLE2-4.1.i386.rpm

	4.3 Installation

	rpm -Fvh squid-2.4.STABLE2-4.1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

	4.5 Source Packages

	a51156b097ff2fdf27b0db00d537b63b	squid-2.4.STABLE2-4.1.src.rpm


5. OpenLinux 3.1 Server

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

	5.2 Packages

	858472bda2bf14760cfbea12b100a509	squid-2.4.STABLE2-4.1.i386.rpm

	5.3 Installation

	rpm -Fvh squid-2.4.STABLE2-4.1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

	5.5 Source Packages

	272e311750da3e899fe6e35ef4da6db5	squid-2.4.STABLE2-4.1.src.rpm


6. References

	Specific references for this advisory:
		http://www.squid-cache.org/Advisories/SQUID-2002_2.txt

	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security fix closes Caldera incidents sr862189, fz520428,
	and erg711999.


7. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


8. Acknowledgements

	This vulnerability was discovered and researched by zen-parse
	<zen-parse@gmx.net>.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjz38sMACgkQbluZssSXDTEdJwCggzTVEQlx3Y0dcR+57tfnQNuZ
dIIAniJsCjw98ioQwwsZwVQLQXceuMZL
=tBkC
-----END PGP SIGNATURE-----