[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070125000854.GQ2912@outflux.net>
Date: Wed, 24 Jan 2007 16:08:54 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-414-1] Squid vulnerabilities
===========================================================
Ubuntu Security Notice USN-414-1 January 24, 2007
squid vulnerabilities
CVE-2007-0247, CVE-2007-0248
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
squid 2.5.12-4ubuntu2.2
Ubuntu 6.10:
squid 2.6.1-3ubuntu1.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
David Duncan Ross Palmer and Henrik Nordstrom discovered that squid
incorrectly handled special characters in FTP URLs. Remote users with
access to squid could crash the server leading to a denial of service.
(CVE-2007-0247)
Erick Dantas Rotole and Henrik Nordstrom discovered that squid could end
up in an endless loop when exhausted of available external ACL helpers.
Remote users with access to squid could cause CPU starvation, possibly
leading to a denial of service. This does not affect a default Ubuntu
installation, since external ACL helpers must be configured and used.
(CVE-2007-0248)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2.diff.gz
Size/MD5: 247162 c77eda0d1ab1a685ddccba3cec11112a
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2.dsc
Size/MD5: 666 728df6474a1a90b654f8e7068d49c4eb
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz
Size/MD5: 1407261 1fc92afd1e858a51a2ebeba28cb76656
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.2_all.deb
Size/MD5: 203104 31807d0c54820bcb4ccaac324fd8ccb2
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_amd64.deb
Size/MD5: 105858 ec1034625a294cd9a5aee3acd367e8e6
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_amd64.deb
Size/MD5: 843664 1fba5697e70517003303a1edc4fb91f9
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_amd64.deb
Size/MD5: 79354 2967f6690585721a640fbfde495a0fee
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_i386.deb
Size/MD5: 104692 bf432d8afaab042920e20d5f0fa48587
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_i386.deb
Size/MD5: 756304 333887def26d690a1b40e06b1d6e9238
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_i386.deb
Size/MD5: 78198 d69eeb3c5f4bbb0c393c83292b95054b
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_powerpc.deb
Size/MD5: 105550 add8f17581b0eba4254c9a78ecf20d6d
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_powerpc.deb
Size/MD5: 838728 65488fafc44d1cbbeb54507734395c3a
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_powerpc.deb
Size/MD5: 79318 cd24525894b43ae769f00286412f6a8d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.2_sparc.deb
Size/MD5: 105074 95fa08d5f9a710a12331ffee2fe411da
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.2_sparc.deb
Size/MD5: 793020 0b11d30e1704e3ad6eb939494fe46ae8
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.2_sparc.deb
Size/MD5: 79270 e7b4ab8c0b0939491c3ff37b0736278c
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2.diff.gz
Size/MD5: 250552 c7b1b1b80935e2e9e916bc5e6c1d72a1
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2.dsc
Size/MD5: 675 cf59b558d3ec2f05fb5641a8eda9627d
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1.orig.tar.gz
Size/MD5: 1593236 5035d9cc90e8033e4eac232ce19a665f
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.1-3ubuntu1.2_all.deb
Size/MD5: 415546 c59977fd127de425cbeb794dc0c9a460
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_amd64.deb
Size/MD5: 109386 b94595843390e1aa91893fa7a434c7ca
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_amd64.deb
Size/MD5: 678296 06f5d5d9256b4e2b3cb48670578de871
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_amd64.deb
Size/MD5: 81912 24c3e805cb5b54b2e52abd1841edc2ac
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_i386.deb
Size/MD5: 108574 dea247ae92905bf3c719fba29828f529
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_i386.deb
Size/MD5: 609266 bae451ceb73a4af381be40cfb7e189a8
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_i386.deb
Size/MD5: 81162 573bbe0fe45ee1f1934847ef63a8d795
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_powerpc.deb
Size/MD5: 109218 d17878220e84e6c0b12b4b32c725b37a
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_powerpc.deb
Size/MD5: 683080 b7d8bf18b2c5db3ac208cb5d545ac55a
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_powerpc.deb
Size/MD5: 81844 21ebbc9fcdd89b53a8791b1387cc4c0f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.2_sparc.deb
Size/MD5: 108836 7f183a3aebc766b479b0a358360c9a20
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.2_sparc.deb
Size/MD5: 635690 c87a766ec1c84ddddb8014fc79bd0956
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.2_sparc.deb
Size/MD5: 82210 9b06dd8cf1597cceb64cbe46a1f0f46f
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists