Updated squid packages that fix a security vulnerability as well as
several bugs are now available.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects.
A denial of service flaw was found in the way squid processes certain NTLM
authentication requests. A remote attacker could send a specially crafted
NTLM authentication request which would cause the Squid server to crash.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-2917 to this issue.
Several bugs have also been addressed in this update:
* An error introduced in 2.5.STABLE3-6.3E.14 where Squid can crash if a
user visits a site which has a long DNS record.
* Some authentication helpers were missing needed setuid rights.
* Squid couldn't handle a reply from a HTTP server when the reply began
with the new-line character or wasn't HTTP/1.0 or HTTP/1.1 compliant.
* User-defined error pages were not kept when the squid package was upgraded.
All users of squid should upgrade to these updated packages, which contain
backported patches to resolve these issues.