Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[USN-904-1] Squid vulnerability
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Wed, 24 Feb 2010 12:18:55 -0500

===========================================================
Ubuntu Security Notice USN-904-1          February 24, 2010
squid vulnerability
CVE-2010-0639
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  squid                           2.6.18-1ubuntu3.2

Ubuntu 8.10:
  squid                           2.7.STABLE3-1ubuntu2.3

Ubuntu 9.04:
  squid                           2.7.STABLE3-4.1ubuntu1.2

Ubuntu 9.10:
  squid                           2.7.STABLE6-2ubuntu2.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Squid incorrectly handled certain malformed packets
received on the HTCP port. A remote attacker could exploit this with a
specially-crafted packet and cause Squid to crash, resulting in a denial of
service.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.2.diff.gz
      Size/MD5:   301187 e352f67cfcdcbc3bf270875aecc775a8
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.2.dsc
      Size/MD5:      806 4dee5ce3f288403aa1a28a85690de97a
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18.orig.tar.gz
      Size/MD5:  1725660 d7ff75f7b75ba7bc28ea453fe4b94434

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.18-1ubuntu3.2_all.deb
      Size/MD5:   482340 adc3f60189a4208b4ec9126fc54820c2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.2_amd64.deb
      Size/MD5:   715938 38d8381c95599a170be2e8dfd0471889
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.2_amd64.deb
      Size/MD5:   114676 3a27cb2f55ee7f4c5565e0bf67d90ee7
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.2_amd64.deb
      Size/MD5:    94490 fbd6ae8daf4bc72a5725d639591d0484

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.2_i386.deb
      Size/MD5:   642834 56d087fc33e9de4f1944d0c720f5570e
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.2_i386.deb
      Size/MD5:   113762 2212278b587d0e38f9b0c5f4c06d1c07
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.2_i386.deb
      Size/MD5:    93614 2cb1363bd52e160b744a54806bc6978c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.2_lpia.deb
      Size/MD5:   644986 3d1f57b9eee3d95d8ecb4656699d4bde
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.2_lpia.deb
      Size/MD5:   113622 403d50a549e58b603a7567b5a60324c9
    http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.2_lpia.deb
      Size/MD5:    93526 b9d9133a7199c0dee043576829594606

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.2_powerpc.deb
      Size/MD5:   729140 afb918cc13f4a842621b56e5aba87628
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.2_powerpc.deb
      Size/MD5:   115538 1ab14d707d114fd0a675507137ba813b
    http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.2_powerpc.deb
      Size/MD5:    95136 3f648a1b035bec6aa7953f93809c1a05

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.2_sparc.deb
      Size/MD5:   669908 ac01974762287523d0adeae1077129d0
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.2_sparc.deb
      Size/MD5:   114230 8a4d8a4384c4df0b3ed1873868ce72d9
    http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.2_sparc.deb
      Size/MD5:    94730 8a058729200b6e8725795568fd123018

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3.diff.gz
      Size/MD5:   304376 3c70568351a24f145d8fe5027a944e1b
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3.dsc
      Size/MD5:     1253 b52f87f9524d112e7f88a542735d0f67
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz
      Size/MD5:  1782040 a4d7608696e2b617aa5853c7d23e25b0

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-1ubuntu2.3_all.deb
      Size/MD5:   496078 dca2adc70af4a98066dbfa96fbd1c48c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3_amd64.deb
      Size/MD5:   771794 8bdc3cb3aca2f010b2fdeedb2789b8e7
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.3_amd64.deb
      Size/MD5:   120092 b3a785104158d97329b72c005f010765

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3_i386.deb
      Size/MD5:   695944 eefb763cfc398f3ee77490af702b6560
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.3_i386.deb
      Size/MD5:   118844 98b701e1e309eaf921321bba23edeb1b

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3_lpia.deb
      Size/MD5:   694254 37161a01410f1438bea5bde80d34aba1
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.3_lpia.deb
      Size/MD5:   118752 8fa60705f60d48594c172ad06fbbf5c3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3_powerpc.deb
      Size/MD5:   778250 67f638b231ab7b31a04d4b93fa1c19f6
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.3_powerpc.deb
      Size/MD5:   120642 a2393624a37d09b21eae6eaebe4e0b27

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.3_sparc.deb
      Size/MD5:   719276 c6bf5deb351f532be316ec00327ec9ce
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.3_sparc.deb
      Size/MD5:   119612 eb93a27fb9f156a5460176eed2cc3c9a

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2.diff.gz
      Size/MD5:   309852 2900f23b740735580929377caeb67757
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2.dsc
      Size/MD5:     1261 7adb44be45d1032eff7c5edd72855112
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz
      Size/MD5:  1782040 a4d7608696e2b617aa5853c7d23e25b0

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-4.1ubuntu1.2_all.deb
      Size/MD5:   496736 f33216314327cd0007d922d8e778d0aa

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2_amd64.deb
      Size/MD5:   772994 5bc0e3d1af2611db9971b82dbf55df92
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.2_amd64.deb
      Size/MD5:   120800 efa403d3b1886a06c13601390fbf87ac

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2_i386.deb
      Size/MD5:   696876 3262b8b1860edc9c2ca6178d893eecf1
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.2_i386.deb
      Size/MD5:   119500 22ce2859f38572c8eca0c5a257a1ca75

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2_lpia.deb
      Size/MD5:   695532 915b0c7c46312c0eed3f7bf1edd20e96
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.2_lpia.deb
      Size/MD5:   119420 0f3ad306ce2482ffc76d55be61dfb7dd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2_powerpc.deb
      Size/MD5:   779690 f1d6cfca1303254c1531b26c5c0e321f
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.2_powerpc.deb
      Size/MD5:   121352 801d8f81923dbf9dbb24802316390b1c

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.2_sparc.deb
      Size/MD5:   719892 c02d2fec68501abbf2b95a04eef4cf9e
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.2_sparc.deb
      Size/MD5:   120268 12dd77fef419f5c45d42b4502d33d5c0

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2.diff.gz
      Size/MD5:   304860 30639dda9a29914a67cc782f72e64c85
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2.dsc
      Size/MD5:     1272 ba20fefe599cb882e1b88d4c827ed9f2
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6.orig.tar.gz
      Size/MD5:  1786189 b6bcacd9c58e6e9e18d0ff44d20c50d9

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE6-2ubuntu2.2_all.deb
      Size/MD5:   351846 8114bb93dbbb447af9879635048675e5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2_amd64.deb
      Size/MD5:   815856 cb83ba028269d6773ebd8cdc0c86dafb
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.2_amd64.deb
      Size/MD5:   123060 603a897ca75e6974aa7fc2b7bd6fe2f4

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2_i386.deb
      Size/MD5:   764274 ef752bb786daa086245d3ea8da3d63c1
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.2_i386.deb
      Size/MD5:   122216 ae2b57fa8bffb8182df7e2f5d5ac188e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2_lpia.deb
      Size/MD5:   762330 8ea039b7840fd4f5e3c6992087a58507
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.2_lpia.deb
      Size/MD5:   121994 a761d93f297982302f6abd09eb8f5e91

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2_powerpc.deb
      Size/MD5:   829872 66e0ace5a7d85088cb00de18aa500996
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.2_powerpc.deb
      Size/MD5:   123884 5a90b258808f5932d22e528d9c3a910c

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.2_sparc.deb
      Size/MD5:   843674 fdc8dc569a21b0308366d24d7848fd25
    http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.2_sparc.deb
      Size/MD5:   123540 948dd3b52ddf10b1f81cc2f6db43c1ce



Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [USN-904-1] Squid vulnerability Marc Deslauriers (Feb 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]