LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Squid vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that Squid incorrectly handled certain auth headers. A remote attacker could exploit this with a specially-crafted auth header and cause Squid to go into an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 8.10, 9.04 and 9.10. (CVE-2009-2855) It was discovered that Squid incorrectly handled certain DNS packets. A remote attacker could exploit this with a specially-crafted DNS packet and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308)
===========================================================
Ubuntu Security Notice USN-901-1          February 16, 2010
squid vulnerabilities
CVE-2009-2855, CVE-2010-0308
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  squid                           2.5.12-4ubuntu2.5

Ubuntu 8.04 LTS:
  squid                           2.6.18-1ubuntu3.1

Ubuntu 8.10:
  squid                           2.7.STABLE3-1ubuntu2.2

Ubuntu 9.04:
  squid                           2.7.STABLE3-4.1ubuntu1.1

Ubuntu 9.10:
  squid                           2.7.STABLE6-2ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Squid incorrectly handled certain auth headers. A
remote attacker could exploit this with a specially-crafted auth header
and cause Squid to go into an infinite loop, resulting in a denial of
service. This issue only affected Ubuntu 8.10, 9.04 and 9.10.
(CVE-2009-2855)

It was discovered that Squid incorrectly handled certain DNS packets. A
remote attacker could exploit this with a specially-crafted DNS packet
and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5.diff.gz
      Size/MD5:   248533 2454656350ab9b5410483e80a79128c6
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5.dsc
      Size/MD5:      675 fd131c2b5c03f21f497f31b69c2eae06
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz
      Size/MD5:  1407261 1fc92afd1e858a51a2ebeba28cb76656

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.5_all.deb
      Size/MD5:   203524 2455400b6eb3805ff0c1d2392068178f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_amd64.deb
      Size/MD5:   844242 1afcf81c42b19962cdd5365bc5b6aa69
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_amd64.deb
      Size/MD5:   106136 6ee8e11da7009f677e4fd30e9b047fe7
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_amd64.deb
      Size/MD5:    79628 d7ecffbbf1a63b895773920663c4aef4

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_i386.deb
      Size/MD5:   756608 79994c8370fc139cb5a551c4997c5870
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_i386.deb
      Size/MD5:   104932 b8f0b74ce627f661023a323373993284
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_i386.deb
      Size/MD5:    78476 659174c97acab076331616e189f8c2fb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_powerpc.deb
      Size/MD5:   839082 ee00e2ff00fd02a521e76acb9a53feda
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_powerpc.deb
      Size/MD5:   105826 d9a3baf35ddb005d446fdae238beffaa
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_powerpc.deb
      Size/MD5:    79588 b96f5eb6f8b36b9e7984876f4fe87033

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_sparc.deb
      Size/MD5:   793288 e0229f7b2eeac59292bd1e72196f719b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_sparc.deb
      Size/MD5:   105312 12b27303a17ddbf229563d664fc40f01
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_sparc.deb
      Size/MD5:    79540 9d6e00216f18b6c151d0870b5f916b81

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1.diff.gz
      Size/MD5:   300822 a117f6c4aca9a0a1c592f446b7fe04fd
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1.dsc
      Size/MD5:      806 3619367bb8824288a5f4c58a51ddc3b2
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18.orig.tar.gz
      Size/MD5:  1725660 d7ff75f7b75ba7bc28ea453fe4b94434

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.18-1ubuntu3.1_all.deb
      Size/MD5:   482290 21e970822bc7e4f3f0eb62a82857dd62

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_amd64.deb
      Size/MD5:   715890 ccfb79671e52658b060657b60cceff30
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_amd64.deb
      Size/MD5:   114594 d21ec960f3a5fc29349e6a31b7a847a8
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_amd64.deb
      Size/MD5:    94414 514e5336f1cc498b35a28e8dd7b9246a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_i386.deb
      Size/MD5:   642908 437bb9c1048db9d58cbc7203c2b702f5
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_i386.deb
      Size/MD5:   113692 2133467e47fe5910f67255843509b073
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_i386.deb
      Size/MD5:    93528 61f7d6c8eacd5ec8aba6560a77946604

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_lpia.deb
      Size/MD5:   644896 45553d97b6a7b9fe30f88a29d31be6ad
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_lpia.deb
      Size/MD5:   113548 6cf3239380c78738599f279dba36b5b5
    http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_lpia.deb
      Size/MD5:    93440 bdea3a1d1303bf8917a768490b6c54bb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_powerpc.deb
      Size/MD5:   729018 5e12656ba78bd89104735458d4dcc680
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_powerpc.deb
      Size/MD5:   115460 e120d04274723cad6da7fd9e6c6ae481
    http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_powerpc.deb
      Size/MD5:    95054 f2cad2324cf454faa0d9b4f639a7f782

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_sparc.deb
      Size/MD5:   669852 98a34a8a069fc0cb8d01fc71b6eca3bd
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_sparc.deb
      Size/MD5:   114158 6912e4098c27d0c41e8e214273a3a485
    http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_sparc.deb
      Size/MD5:    94658 8e425faa823c00d421c85b8b9f70f165

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2.diff.gz
      Size/MD5:   304074 8d6595b133476ebdfd500b41c373618b
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2.dsc
      Size/MD5:     1253 64d9293267b6958dd3d0ed102c6ee618
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz
      Size/MD5:  1782040 a4d7608696e2b617aa5853c7d23e25b0

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-1ubuntu2.2_all.deb
      Size/MD5:   496014 7c0717d8f7c7f586e0f5359c3ad81d28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_amd64.deb
      Size/MD5:   771770 ff19be00b375719b740c8aee4687c284
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_amd64.deb
      Size/MD5:   120016 228e7986ffc3e50a0661d338b283d8ea

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_i386.deb
      Size/MD5:   695860 dfcc70857b10eaa2a111f03829c2190d
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_i386.deb
      Size/MD5:   118776 7be15db3887a81291236beaa353ebdf5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_lpia.deb
      Size/MD5:   694110 a2bdd32ad4625be13a75b40344cd3b5b
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_lpia.deb
      Size/MD5:   118680 b37761349524ac1e81a28dd248be294a

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_powerpc.deb
      Size/MD5:   778254 456062a86f9a85e26bdbe5cbb930b0f1
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_powerpc.deb
      Size/MD5:   120594 fab58afccbd4536a5a08517a88d05212

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_sparc.deb
      Size/MD5:   719234 c6a43b6bf15a8dfbc4981266d06e1da8
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_sparc.deb
      Size/MD5:   119536 8e45754fddb4517ee1a0441d98680fb2

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1.diff.gz
      Size/MD5:   309541 c0849f64ed73fe6e0faa903f02cb5e0c
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1.dsc
      Size/MD5:     1261 c857a6a4117f69d074ac78a3085f75f1
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz
      Size/MD5:  1782040 a4d7608696e2b617aa5853c7d23e25b0

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-4.1ubuntu1.1_all.deb
      Size/MD5:   496694 23bf755c15cf1c025879e0a8a4ff1ddb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_amd64.deb
      Size/MD5:   772966 eb3740e568636cabfd59e79236217fad
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_amd64.deb
      Size/MD5:   120732 78c8d8fb946a94f2d69be15a77864c07

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_i386.deb
      Size/MD5:   696842 78df80b53e8af1bbc1b13221206ae72e
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_i386.deb
      Size/MD5:   119434 7a5ba2ac5c44505866da1ad2358cbe42

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_lpia.deb
      Size/MD5:   695448 301a11d0423ceef12b1c1a321ccac364
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_lpia.deb
      Size/MD5:   119352 f3bd8c65af58b76c357d244688f3cd16

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_powerpc.deb
      Size/MD5:   779592 daa4786247e98d9beaedfb496663ecbd
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_powerpc.deb
      Size/MD5:   121282 26beb55ede0cb6ba700579e5313f3a43

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_sparc.deb
      Size/MD5:   719760 2b18b83fa554dc26aa6dfe4bbebec018
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_sparc.deb
      Size/MD5:   120200 e31f9d6dfdb8c03912e52eb5945bd5cf

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1.diff.gz
      Size/MD5:   304537 e1bc8245ae44b54b879ac9387f8e5d43
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1.dsc
      Size/MD5:     1272 e220c14c3b7128a5c429a474df9d04a0
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6.orig.tar.gz
      Size/MD5:  1786189 b6bcacd9c58e6e9e18d0ff44d20c50d9

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE6-2ubuntu2.1_all.deb
      Size/MD5:   351776 295f7d973a4213f26bfee7f29204daf9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_amd64.deb
      Size/MD5:   815802 85cee789f10e319c608e599eed958717
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_amd64.deb
      Size/MD5:   122986 5b389450e481b24aaf120aaa468679c6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_i386.deb
      Size/MD5:   764152 b285560419935f5ccbe7230e994e7f4c
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_i386.deb
      Size/MD5:   122142 5014ab2ae281f5b7d8e3954bcbaa7117

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_lpia.deb
      Size/MD5:   762270 920c4de6c29dfc31b006dccf00976059
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_lpia.deb
      Size/MD5:   121928 4e41197bcd57396933d69c3b74c9e81d

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_powerpc.deb
      Size/MD5:   829778 df71fb6e967608eda2e40f6e72f4e2ab
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_powerpc.deb
      Size/MD5:   123804 96c3da7783abd1f1355bc453375c5f91

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_sparc.deb
      Size/MD5:   843590 b07c87d2ffb5f4b059842c3a1f228704
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_sparc.deb
      Size/MD5:   123462 4cb8909dce8561e30a6ccb4d7c7b75dc




--=-HC+5W+IM3C6eilooSYwY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAkt6uwoACgkQLMAs/0C4zNp6KQCgwSotELL2An8opQuFbb4aUsF6
SZ0AnREQIhtZM+/LzVMjRyLU/YB5h43d
=WNg2
-----END PGP SIGNATURE-----

--=-HC+5W+IM3C6eilooSYwY--



--==============36980618075973930=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============36980618075973930==--
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
DARPA-derived secure microkernel goes open source tomorrow
Hacker Gary McKinnon turns into a search expert
Hackers seed Amazon cloud with potent denial-of-service bots
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.