lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050518133201.GB3340@piware.de>
Date: Wed, 18 May 2005 15:32:01 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-129-1] Squid vulnerability

===========================================================
Ubuntu Security Notice USN-129-1	       May 18, 2005
squid vulnerability
CAN-2005-1519
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

squid

The problem can be corrected by upgrading the affected package to
version 2.5.5-6ubuntu0.9 (for Ubuntu 4.10), or 2.5.8-3ubuntu1.2 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

It was discovered that Squid did not verify the validity of DNS server
responses. When Squid is started, it opens a DNS client UDP port whose
number is randomly assigned by the operating system. Unless your
network firewall is configured to accept DNS responses only from known
good nameservers, this vulnerability allowed users within the local
network to inject arbitrary DNS responses into Squid ("DNS spoofing").
This could be used to present different web pages to users from those
they actually requested.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9.diff.gz
      Size/MD5:   281859 f364c4bb9bd58951062d207f3db3cb81
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9.dsc
      Size/MD5:      652 e70987cf4c944b7bbd139a3e594b5066
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5.orig.tar.gz
      Size/MD5:  1363967 6c7f3175b5fa04ab5ee68ce752e7b500

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.5-6ubuntu0.9_all.deb
      Size/MD5:   191054 31f2683021358e153ab47bcd2722a974

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.9_amd64.deb
      Size/MD5:    90452 232ce4508910ebfc3b001b85207e22c3
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9_amd64.deb
      Size/MD5:   813378 28e68b02831669be996e44f994054b4e
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.9_amd64.deb
      Size/MD5:    71824 d9ea92e2046b9df721498eb4974a0976

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.9_i386.deb
      Size/MD5:    88974 38f7738bfbdb2b2a0186bf2b80c86d26
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9_i386.deb
      Size/MD5:   729378 4a2d98e11540f9542a898dbc92b40d04
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.9_i386.deb
      Size/MD5:    70550 37d842c17e41b5742366d68d8f37e7ca

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.9_powerpc.deb
      Size/MD5:    89900 04cf7ebdd2884be4dc373219541351f5
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.9_powerpc.deb
      Size/MD5:   796922 e783aa29510b037c17093051743aedee
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.9_powerpc.deb
      Size/MD5:    71314 8818145fbf76439e4cd258998a954c91

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2.diff.gz
      Size/MD5:   303979 ab7914dae89f6acaab22b277418ff0ac
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2.dsc
      Size/MD5:      663 6000f9f117756fc0a238ad368f87838c
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8.orig.tar.gz
      Size/MD5:  1383756 bbc1e77bd175462732fe5f0d822fd160

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.8-3ubuntu1.2_all.deb
      Size/MD5:   194468 f0ccd8100220edee0fd5cd789f9a96a9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.2_amd64.deb
      Size/MD5:    92866 a64f49b05ed0bf36cee6a46fef561abb
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2_amd64.deb
      Size/MD5:   821304 601290da637b51e66eb6cafb3727532a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.2_amd64.deb
      Size/MD5:    75414 bd4826ca345ceb1b959fd67bf1209ad3

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.2_i386.deb
      Size/MD5:    91252 c11b4a0700b50b49d39f47bf6b5b5337
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2_i386.deb
      Size/MD5:   740014 996b988cf38b88bbb547676939451846
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.2_i386.deb
      Size/MD5:    74038 d2c0248dcf3eed36f83dcd50c7ffd302

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.8-3ubuntu1.2_powerpc.deb
      Size/MD5:    92356 5fb18eeb2ee9058f1301a8f1ee704002
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.8-3ubuntu1.2_powerpc.deb
      Size/MD5:   809294 04a26952d632d523749a5871be981821
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.8-3ubuntu1.2_powerpc.deb
      Size/MD5:    74882 163a9cc031a91d7fa49f30bd19847d9d

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ