[USN-565-1] Squid vulnerability
Date: Wed, 9 Jan 2008 14:22:24 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-565-1] Squid vulnerability
Message-ID: <20080109222224.GZ17869@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="hCenlVgnDQUGHXTR"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.304 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--hCenlVgnDQUGHXTR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-565-1 January 09, 2008
squid vulnerability
CVE-2007-6239
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
squid 2.5.12-4ubuntu2.3
Ubuntu 6.10:
squid 2.6.1-3ubuntu1.5
Ubuntu 7.04:
squid 2.6.5-4ubuntu2.1
Ubuntu 7.10:
squid 2.6.14-1ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that Squid did not always clean up cache memory
correctly. A remote attacker could manipulate cache update replies and
cause Squid to use all available memory, leading to a denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubunt=
u2.3.diff.gz
Size/MD5: 240180 82227f35a48e9b8ff9a16c874d61e50b
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubunt=
u2.3.dsc
Size/MD5: 666 ba2f4470e328b02a3f1a4cf1719bccf4
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.t=
ar.gz
Size/MD5: 1407261 1fc92afd1e858a51a2ebeba28cb76656
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12=
-4ubuntu2.3_all.deb
Size/MD5: 203172 b352cf7a51012801b253931249936659
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubunt=
u2.3_amd64.deb
Size/MD5: 843934 9c1ceec3694a50de2250198debbecd6b
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.1=
2-4ubuntu2.3_amd64.deb
Size/MD5: 105930 98d68ef60de08e93b53d4766ed687a76
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5=
=2E12-4ubuntu2.3_amd64.deb
Size/MD5: 79418 6cbe6b4d6bdc3e649b301d68ead5c3d4
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubunt=
u2.3_i386.deb
Size/MD5: 756444 53d1c2bce5569aeb0b9c8aadabccfc44
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.1=
2-4ubuntu2.3_i386.deb
Size/MD5: 104764 06d75ab3af58b9d2cfea64f9806ad243
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5=
=2E12-4ubuntu2.3_i386.deb
Size/MD5: 78270 f9efee5ecd07df0a6bbdfade3ebd4498
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubunt=
u2.3_powerpc.deb
Size/MD5: 838964 e61ccac7d1fd28c96d244d0e3827d857
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.1=
2-4ubuntu2.3_powerpc.deb
Size/MD5: 105620 bd2c24fb088cded43e568f00998a4683
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5=
=2E12-4ubuntu2.3_powerpc.deb
Size/MD5: 79376 3e64945c5ae3ad9436a2d280166197bb
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubunt=
u2.3_sparc.deb
Size/MD5: 793162 ffe874391ee4a5a2a3da0419a8980689
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.1=
2-4ubuntu2.3_sparc.deb
Size/MD5: 105134 6f07e2568f2b90a7de81dc6bd422988c
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5=
=2E12-4ubuntu2.3_sparc.deb
Size/MD5: 79336 0a12dd6125426d0de675302133371ed0
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu=
1.5.diff.gz
Size/MD5: 244011 d472ac28859a25589ac6af1e9fa3b027
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu=
1.5.dsc
Size/MD5: 675 6263b102e562137eb49a4e2a13a58e2c
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1.orig.ta=
r.gz
Size/MD5: 1593236 5035d9cc90e8033e4eac232ce19a665f
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.1-=
3ubuntu1.5_all.deb
Size/MD5: 415866 568a08cfc4f0ba7f3afe85168701cfac
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu=
1.5_amd64.deb
Size/MD5: 678188 d242b568609fd648bf33d3efd47f0a97
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
-3ubuntu1.5_amd64.deb
Size/MD5: 109550 be1a9c3bebe4d8dda08873433df9751b
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E1-3ubuntu1.5_amd64.deb
Size/MD5: 82062 08640bc25b10d39910968efcc3563f09
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu=
1.5_i386.deb
Size/MD5: 609588 4f5ec39bb77f787b6ecee7c40674cd6d
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
-3ubuntu1.5_i386.deb
Size/MD5: 108738 744d73b3595a3c394207c0d5730e3e23
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E1-3ubuntu1.5_i386.deb
Size/MD5: 81316 e9123cb566fc883060dfb6a0245120f1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu=
1.5_powerpc.deb
Size/MD5: 683446 5c0de8b762a632e4ffd4ccf5e12712a8
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
-3ubuntu1.5_powerpc.deb
Size/MD5: 109384 238f04d248e77203ad764237bd079532
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E1-3ubuntu1.5_powerpc.deb
Size/MD5: 82018 6e9ee617cefb1be3593cb8913b223470
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu=
1.5_sparc.deb
Size/MD5: 635986 47ec8b1ceae8bb65d3f5d698d5b1c85f
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
-3ubuntu1.5_sparc.deb
Size/MD5: 108996 9e9da51f33a0b68cfb595fa39eb1a4c2
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E1-3ubuntu1.5_sparc.deb
Size/MD5: 82366 5a378ee623b82521bb5c51744e968e5c
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu=
2.1.diff.gz
Size/MD5: 264409 76de29dfb09265d85689e148656c33f6
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu=
2.1.dsc
Size/MD5: 761 fb65752186f231b320ee63c500ca9309
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5.orig.ta=
r.gz
Size/MD5: 1636886 26cc918028340dc8ceb9c0c4b988d717
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.5-=
4ubuntu2.1_all.deb
Size/MD5: 437470 32861114a61dd44655796ede18a079d5
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu=
2.1_amd64.deb
Size/MD5: 712026 229b55c3250fe5cba0756a6d3da3107e
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5=
-4ubuntu2.1_amd64.deb
Size/MD5: 116372 61cd4acc6b2bcb1921628ee18d806131
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E5-4ubuntu2.1_amd64.deb
Size/MD5: 86750 be864da52312a02a98e6e8cc65ad71c7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu=
2.1_i386.deb
Size/MD5: 640664 0894db5b6cf850c1087aba086eaac3d6
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5=
-4ubuntu2.1_i386.deb
Size/MD5: 115624 9da8aafa506035a1aadc9d9e87a5fc2f
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E5-4ubuntu2.1_i386.deb
Size/MD5: 85998 a7f4b8fdb64ab7b85bf6635da7d4b1bd
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu=
2.1_powerpc.deb
Size/MD5: 728408 f2ee05bc860137072d07770b4d398f25
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5=
-4ubuntu2.1_powerpc.deb
Size/MD5: 116946 83b25836119e900ccdbf9320494f110a
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E5-4ubuntu2.1_powerpc.deb
Size/MD5: 87370 4a3214c966720c612cb947d342639b8f
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu=
2.1_sparc.deb
Size/MD5: 673922 bf167555d9dd9364d72f7eed03a9f7d2
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5=
-4ubuntu2.1_sparc.deb
Size/MD5: 116142 42efe28717af7bde574146bac8bd3333
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E5-4ubuntu2.1_sparc.deb
Size/MD5: 87344 b8f37de155bcd62a06b3075dd92e5119
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubunt=
u2.1.diff.gz
Size/MD5: 299243 1cbb6282b1d966f09b5dca3ba92f8d4d
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubunt=
u2.1.dsc
Size/MD5: 764 f200a80b585fa191de43b9b2aa922b6d
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14.orig.t=
ar.gz
Size/MD5: 1694713 25a0e4d4b9e673b24c29901bbfbcdb5c
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.14=
-1ubuntu2.1_all.deb
Size/MD5: 473986 3f69715d432c16dad1406a2807780238
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubunt=
u2.1_amd64.deb
Size/MD5: 715392 cd64cb7d649633e0d255c78dd851afd8
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
4-1ubuntu2.1_amd64.deb
Size/MD5: 111640 b0de575fc0fd1ada9bf5eb1fd5f7738b
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E14-1ubuntu2.1_amd64.deb
Size/MD5: 91832 fb86b3e638e1e8c10bb744ae6156fab4
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubunt=
u2.1_i386.deb
Size/MD5: 642474 091fe789f1b76cde127673d60a070705
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
4-1ubuntu2.1_i386.deb
Size/MD5: 110792 776c9cad0c35840b34fa64a44f8a45f2
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E14-1ubuntu2.1_i386.deb
Size/MD5: 91062 f1b4d77fb8baa5f0ad09c059875df1db
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubunt=
u2.1_powerpc.deb
Size/MD5: 728014 ff98ddbdef80bd4a9cd7338d650f70fd
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
4-1ubuntu2.1_powerpc.deb
Size/MD5: 112270 819b8995e7942374cb33a14ea87b1644
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E14-1ubuntu2.1_powerpc.deb
Size/MD5: 92414 28ec5c6390b9caebb593ba552da51ce5
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubunt=
u2.1_sparc.deb
Size/MD5: 675366 a5c05779180f882d8be9302f77678b5a
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1=
4-1ubuntu2.1_sparc.deb
Size/MD5: 111414 cf2db4b0d632200669844bd7ad325d5b
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6=
=2E14-1ubuntu2.1_sparc.deb
Size/MD5: 92438 1879d5e4e72b907264399d8ccc47921f
--hCenlVgnDQUGHXTR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHhUkgH/9LqRcGPm0RAmVUAKCCFpCUSZTcGY40eD7WNYRyRfv5wQCffhvf
Mryt7p+HcKBQ+0PcmJRdI2Q=
=1rGG
-----END PGP SIGNATURE-----
--hCenlVgnDQUGHXTR--