| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 May 2005 15:32:01 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-129-1] Squid vulnerability
===========================================================
Ubuntu Security Notice USN-129-1 May 18, 2005
squid vulnerability
CAN-2005-1519
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
squid
The problem can be corrected by upgrading the affected package to
version 2.5.5-6ubuntu0.9 (for Ubuntu 4.10), or 2.5.8-3ubuntu1.2 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.
Details follow:
It was discovered that Squid did not verify the validity of DNS server
responses. When Squid is started, it opens a DNS client UDP port whose
number is randomly assigned by the operating system. Unless your
network firewall is configured to accept DNS responses only from known
good nameservers, this vulnerability allowed users within the local
network to inject arbitrary DNS responses into Squid ("DNS spoofing").
This could be used to present different web pages to users from those
they actually requested.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9.diff.gz
Size/MD5: 281859 f364c4bb9bd58951062d207f3db3cb81
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9.dsc
Size/MD5: 652 e70987cf4c944b7bbd139a3e594b5066
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5.orig.tar.gz
Size/MD5: 1363967 6c7f3175b5fa04ab5ee68ce752e7b500
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.5-6ubuntu0.9_all.deb
Size/MD5: 191054 31f2683021358e153ab47bcd2722a974
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.9_amd64.deb
Size/MD5: 90452 232ce4508910ebfc3b001b85207e22c3
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9_amd64.deb
Size/MD5: 813378 28e68b02831669be996e44f994054b4e
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.9_amd64.deb
Size/MD5: 71824 d9ea92e2046b9df721498eb4974a0976
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.9_i386.deb
Size/MD5: 88974 38f7738bfbdb2b2a0186bf2b80c86d26
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9_i386.deb
Size/MD5: 729378 4a2d98e11540f9542a898dbc92b40d04
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.9_i386.deb
Size/MD5: 70550 37d842c17e41b5742366d68d8f37e7ca
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.9_powerpc.deb
Size/MD5: 89900 04cf7ebdd2884be4dc373219541351f5
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9_powerpc.deb
Size/MD5: 796922 e783aa29510b037c17093051743aedee
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.9_powerpc.deb
Size/MD5: 71314 8818145fbf76439e4cd258998a954c91
Updated packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2.diff.gz
Size/MD5: 303979 ab7914dae89f6acaab22b277418ff0ac
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2.dsc
Size/MD5: 663 6000f9f117756fc0a238ad368f87838c
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8.orig.tar.gz
Size/MD5: 1383756 bbc1e77bd175462732fe5f0d822fd160
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.8-3ubuntu1.2_all.deb
Size/MD5: 194468 f0ccd8100220edee0fd5cd789f9a96a9
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.2_amd64.deb
Size/MD5: 92866 a64f49b05ed0bf36cee6a46fef561abb
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2_amd64.deb
Size/MD5: 821304 601290da637b51e66eb6cafb3727532a
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.2_amd64.deb
Size/MD5: 75414 bd4826ca345ceb1b959fd67bf1209ad3
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.2_i386.deb
Size/MD5: 91252 c11b4a0700b50b49d39f47bf6b5b5337
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2_i386.deb
Size/MD5: 740014 996b988cf38b88bbb547676939451846
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.2_i386.deb
Size/MD5: 74038 d2c0248dcf3eed36f83dcd50c7ffd302
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.2_powerpc.deb
Size/MD5: 92356 5fb18eeb2ee9058f1301a8f1ee704002
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2_powerpc.deb
Size/MD5: 809294 04a26952d632d523749a5871be981821
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.2_powerpc.deb
Size/MD5: 74882 163a9cc031a91d7fa49f30bd19847d9d
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists