[USN-565-1] Squid vulnerability

Kees Cook kees at ubuntu.com
Wed Jan 9 22:22:24 UTC 2008


=========================================================== 
Ubuntu Security Notice USN-565-1           January 09, 2008
squid vulnerability
CVE-2007-6239
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  squid                           2.5.12-4ubuntu2.3

Ubuntu 6.10:
  squid                           2.6.1-3ubuntu1.5

Ubuntu 7.04:
  squid                           2.6.5-4ubuntu2.1

Ubuntu 7.10:
  squid                           2.6.14-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Squid did not always clean up cache memory
correctly.  A remote attacker could manipulate cache update replies and
cause Squid to use all available memory, leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.3.diff.gz
      Size/MD5:   240180 82227f35a48e9b8ff9a16c874d61e50b
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.3.dsc
      Size/MD5:      666 ba2f4470e328b02a3f1a4cf1719bccf4
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz
      Size/MD5:  1407261 1fc92afd1e858a51a2ebeba28cb76656

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.3_all.deb
      Size/MD5:   203172 b352cf7a51012801b253931249936659

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.3_amd64.deb
      Size/MD5:   843934 9c1ceec3694a50de2250198debbecd6b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.3_amd64.deb
      Size/MD5:   105930 98d68ef60de08e93b53d4766ed687a76
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.3_amd64.deb
      Size/MD5:    79418 6cbe6b4d6bdc3e649b301d68ead5c3d4

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.3_i386.deb
      Size/MD5:   756444 53d1c2bce5569aeb0b9c8aadabccfc44
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.3_i386.deb
      Size/MD5:   104764 06d75ab3af58b9d2cfea64f9806ad243
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.3_i386.deb
      Size/MD5:    78270 f9efee5ecd07df0a6bbdfade3ebd4498

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.3_powerpc.deb
      Size/MD5:   838964 e61ccac7d1fd28c96d244d0e3827d857
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.3_powerpc.deb
      Size/MD5:   105620 bd2c24fb088cded43e568f00998a4683
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.3_powerpc.deb
      Size/MD5:    79376 3e64945c5ae3ad9436a2d280166197bb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.3_sparc.deb
      Size/MD5:   793162 ffe874391ee4a5a2a3da0419a8980689
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.3_sparc.deb
      Size/MD5:   105134 6f07e2568f2b90a7de81dc6bd422988c
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.3_sparc.deb
      Size/MD5:    79336 0a12dd6125426d0de675302133371ed0

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.5.diff.gz
      Size/MD5:   244011 d472ac28859a25589ac6af1e9fa3b027
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.5.dsc
      Size/MD5:      675 6263b102e562137eb49a4e2a13a58e2c
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1.orig.tar.gz
      Size/MD5:  1593236 5035d9cc90e8033e4eac232ce19a665f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.1-3ubuntu1.5_all.deb
      Size/MD5:   415866 568a08cfc4f0ba7f3afe85168701cfac

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.5_amd64.deb
      Size/MD5:   678188 d242b568609fd648bf33d3efd47f0a97
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.5_amd64.deb
      Size/MD5:   109550 be1a9c3bebe4d8dda08873433df9751b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.5_amd64.deb
      Size/MD5:    82062 08640bc25b10d39910968efcc3563f09

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.5_i386.deb
      Size/MD5:   609588 4f5ec39bb77f787b6ecee7c40674cd6d
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.5_i386.deb
      Size/MD5:   108738 744d73b3595a3c394207c0d5730e3e23
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.5_i386.deb
      Size/MD5:    81316 e9123cb566fc883060dfb6a0245120f1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.5_powerpc.deb
      Size/MD5:   683446 5c0de8b762a632e4ffd4ccf5e12712a8
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.5_powerpc.deb
      Size/MD5:   109384 238f04d248e77203ad764237bd079532
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.5_powerpc.deb
      Size/MD5:    82018 6e9ee617cefb1be3593cb8913b223470

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.5_sparc.deb
      Size/MD5:   635986 47ec8b1ceae8bb65d3f5d698d5b1c85f
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.5_sparc.deb
      Size/MD5:   108996 9e9da51f33a0b68cfb595fa39eb1a4c2
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.5_sparc.deb
      Size/MD5:    82366 5a378ee623b82521bb5c51744e968e5c

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.1.diff.gz
      Size/MD5:   264409 76de29dfb09265d85689e148656c33f6
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.1.dsc
      Size/MD5:      761 fb65752186f231b320ee63c500ca9309
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5.orig.tar.gz
      Size/MD5:  1636886 26cc918028340dc8ceb9c0c4b988d717

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.5-4ubuntu2.1_all.deb
      Size/MD5:   437470 32861114a61dd44655796ede18a079d5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.1_amd64.deb
      Size/MD5:   712026 229b55c3250fe5cba0756a6d3da3107e
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.1_amd64.deb
      Size/MD5:   116372 61cd4acc6b2bcb1921628ee18d806131
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.1_amd64.deb
      Size/MD5:    86750 be864da52312a02a98e6e8cc65ad71c7

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.1_i386.deb
      Size/MD5:   640664 0894db5b6cf850c1087aba086eaac3d6
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.1_i386.deb
      Size/MD5:   115624 9da8aafa506035a1aadc9d9e87a5fc2f
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.1_i386.deb
      Size/MD5:    85998 a7f4b8fdb64ab7b85bf6635da7d4b1bd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.1_powerpc.deb
      Size/MD5:   728408 f2ee05bc860137072d07770b4d398f25
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.1_powerpc.deb
      Size/MD5:   116946 83b25836119e900ccdbf9320494f110a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.1_powerpc.deb
      Size/MD5:    87370 4a3214c966720c612cb947d342639b8f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.1_sparc.deb
      Size/MD5:   673922 bf167555d9dd9364d72f7eed03a9f7d2
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.1_sparc.deb
      Size/MD5:   116142 42efe28717af7bde574146bac8bd3333
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.1_sparc.deb
      Size/MD5:    87344 b8f37de155bcd62a06b3075dd92e5119

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.1.diff.gz
      Size/MD5:   299243 1cbb6282b1d966f09b5dca3ba92f8d4d
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.1.dsc
      Size/MD5:      764 f200a80b585fa191de43b9b2aa922b6d
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14.orig.tar.gz
      Size/MD5:  1694713 25a0e4d4b9e673b24c29901bbfbcdb5c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.14-1ubuntu2.1_all.deb
      Size/MD5:   473986 3f69715d432c16dad1406a2807780238

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.1_amd64.deb
      Size/MD5:   715392 cd64cb7d649633e0d255c78dd851afd8
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.1_amd64.deb
      Size/MD5:   111640 b0de575fc0fd1ada9bf5eb1fd5f7738b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.1_amd64.deb
      Size/MD5:    91832 fb86b3e638e1e8c10bb744ae6156fab4

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.1_i386.deb
      Size/MD5:   642474 091fe789f1b76cde127673d60a070705
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.1_i386.deb
      Size/MD5:   110792 776c9cad0c35840b34fa64a44f8a45f2
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.1_i386.deb
      Size/MD5:    91062 f1b4d77fb8baa5f0ad09c059875df1db

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.1_powerpc.deb
      Size/MD5:   728014 ff98ddbdef80bd4a9cd7338d650f70fd
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.1_powerpc.deb
      Size/MD5:   112270 819b8995e7942374cb33a14ea87b1644
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.1_powerpc.deb
      Size/MD5:    92414 28ec5c6390b9caebb593ba552da51ce5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.1_sparc.deb
      Size/MD5:   675366 a5c05779180f882d8be9302f77678b5a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.1_sparc.deb
      Size/MD5:   111414 cf2db4b0d632200669844bd7ad325d5b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.1_sparc.deb
      Size/MD5:    92438 1879d5e4e72b907264399d8ccc47921f

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20080109/73b517bc/attachment.sig>


More information about the ubuntu-security-announce mailing list