lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070125000854.GQ2912@outflux.net>
Date: Wed, 24 Jan 2007 16:08:54 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-414-1] Squid vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-414-1           January 24, 2007
squid vulnerabilities
CVE-2007-0247, CVE-2007-0248
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  squid                                    2.5.12-4ubuntu2.2

Ubuntu 6.10:
  squid                                    2.6.1-3ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

David Duncan Ross Palmer and Henrik Nordstrom discovered that squid 
incorrectly handled special characters in FTP URLs.  Remote users with 
access to squid could crash the server leading to a denial of service. 
(CVE-2007-0247)

Erick Dantas Rotole and Henrik Nordstrom discovered that squid could end 
up in an endless loop when exhausted of available external ACL helpers.  
Remote users with access to squid could cause CPU starvation, possibly 
leading to a denial of service.  This does not affect a default Ubuntu 
installation, since external ACL helpers must be configured and used.
(CVE-2007-0248)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2.diff.gz
      Size/MD5:   247162 c77eda0d1ab1a685ddccba3cec11112a
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2.dsc
      Size/MD5:      666 728df6474a1a90b654f8e7068d49c4eb
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz
      Size/MD5:  1407261 1fc92afd1e858a51a2ebeba28cb76656

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.2_all.deb
      Size/MD5:   203104 31807d0c54820bcb4ccaac324fd8ccb2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_amd64.deb
      Size/MD5:   105858 ec1034625a294cd9a5aee3acd367e8e6
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_amd64.deb
      Size/MD5:   843664 1fba5697e70517003303a1edc4fb91f9
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_amd64.deb
      Size/MD5:    79354 2967f6690585721a640fbfde495a0fee

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_i386.deb
      Size/MD5:   104692 bf432d8afaab042920e20d5f0fa48587
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_i386.deb
      Size/MD5:   756304 333887def26d690a1b40e06b1d6e9238
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_i386.deb
      Size/MD5:    78198 d69eeb3c5f4bbb0c393c83292b95054b

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_powerpc.deb
      Size/MD5:   105550 add8f17581b0eba4254c9a78ecf20d6d
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_powerpc.deb
      Size/MD5:   838728 65488fafc44d1cbbeb54507734395c3a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_powerpc.deb
      Size/MD5:    79318 cd24525894b43ae769f00286412f6a8d

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_sparc.deb
      Size/MD5:   105074 95fa08d5f9a710a12331ffee2fe411da
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_sparc.deb
      Size/MD5:   793020 0b11d30e1704e3ad6eb939494fe46ae8
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_sparc.deb
      Size/MD5:    79270 e7b4ab8c0b0939491c3ff37b0736278c

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2.diff.gz
      Size/MD5:   250552 c7b1b1b80935e2e9e916bc5e6c1d72a1
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2.dsc
      Size/MD5:      675 cf59b558d3ec2f05fb5641a8eda9627d
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1.orig.tar.gz
      Size/MD5:  1593236 5035d9cc90e8033e4eac232ce19a665f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.1-3ubuntu1.2_all.deb
      Size/MD5:   415546 c59977fd127de425cbeb794dc0c9a460

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_amd64.deb
      Size/MD5:   109386 b94595843390e1aa91893fa7a434c7ca
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_amd64.deb
      Size/MD5:   678296 06f5d5d9256b4e2b3cb48670578de871
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_amd64.deb
      Size/MD5:    81912 24c3e805cb5b54b2e52abd1841edc2ac

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_i386.deb
      Size/MD5:   108574 dea247ae92905bf3c719fba29828f529
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_i386.deb
      Size/MD5:   609266 bae451ceb73a4af381be40cfb7e189a8
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_i386.deb
      Size/MD5:    81162 573bbe0fe45ee1f1934847ef63a8d795

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_powerpc.deb
      Size/MD5:   109218 d17878220e84e6c0b12b4b32c725b37a
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_powerpc.deb
      Size/MD5:   683080 b7d8bf18b2c5db3ac208cb5d545ac55a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_powerpc.deb
      Size/MD5:    81844 21ebbc9fcdd89b53a8791b1387cc4c0f

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_sparc.deb
      Size/MD5:   108836 7f183a3aebc766b479b0a358360c9a20
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_sparc.deb
      Size/MD5:   635690 c87a766ec1c84ddddb8014fc79bd0956
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_sparc.deb
      Size/MD5:    82210 9b06dd8cf1597cceb64cbe46a1f0f46f


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ