New squid packages are available that fix various vulnerabilities. Some of these vulnerabilities could be used to perform a denial of service (DoS) attack or allow remote users to execute code as the user squid.
Squid is a high-performance proxy caching server. Various security issues have been found in Squid up to and including version 2.4.STABLE2. These were: - a memory leak in the SNMP code - a crash on specially-formatted data in FTP URL parsing - HTCP would still be active, even if it was disabled in the config file These errata pacakges contain Squid version 2.4.STABLE3, which is not vulnerable to these issues. It is recommended that all users of Squid update to the fixed packages. Note: SNMP support is disabled in the default configuration of these packages (it was previously enabled). If you need SNMP support, edit your squid configuration and change the 'snmp_port' option; the default port for SNMP enabled-squid is 3401. Thanks go to Jouko Pynnonen for notifying us of the FTP vulnerability and to the Squid team for providing patches. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2002-0067, CAN-2002-0068, CAN-2002-0069 to these issues.