-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0383 -- [Ubuntu]
                            Squid vulnerability
                               16 April 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Squid
Publisher:            Ubuntu
Operating System:     Ubuntu
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1612 CVE-2007-6239

Ref:                  ESB-2008.0362
                      AL-2007.0125

Original Bulletin:    http://www.ubuntu.com/usn/usn-601-1

- --------------------------BEGIN INCLUDED TEXT--------------------

=========================================================== 
Ubuntu Security Notice USN-601-1             April 14, 2008
squid vulnerability
CVE-2008-1612
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  squid                           2.5.12-4ubuntu2.4

Ubuntu 6.10:
  squid                           2.6.1-3ubuntu1.7

Ubuntu 7.04:
  squid                           2.6.5-4ubuntu2.2

Ubuntu 7.10:
  squid                           2.6.14-1ubuntu2.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Squid did not perform proper bounds checking when
processing cache update replies. A remote authenticated user may be able
to trigger an assertion error and cause a denial of service. This
vulnerability is due to an incorrect fix for CVE-2007-6239.
(CVE-2008-1612)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4.diff.gz
      Size/MD5:   247667 05b709ab6c6ced664fca3eb8c8534e20
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4.dsc
      Size/MD5:      666 7da288841f7d6c6f8c662a389ecc334e
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz
      Size/MD5:  1407261 1fc92afd1e858a51a2ebeba28cb76656

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.4_all.deb
      Size/MD5:   203332 269c6ad6ebe5541d0b8880dfa305d56c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_amd64.deb
      Size/MD5:   844138 8281589e7f42bb8aabd0a72f5bc2878d
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_amd64.deb
      Size/MD5:   106032 d631e04e0b10217ca8fd38a52a67d89a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_amd64.deb
      Size/MD5:    79522 e81158cf4b36e69daacd77c58ce8faab

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_i386.deb
      Size/MD5:   756536 c347c37b1d33310600d2cd19a5e1b81d
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_i386.deb
      Size/MD5:   104858 e0ca641be3aa8770de87b80c9768b7ae
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_i386.deb
      Size/MD5:    78366 7dc911b739fbe19027d29f8be6c783c0

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_powerpc.deb
      Size/MD5:   839094 adbe397722a3fa1ea87b99f69ae7be72
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_powerpc.deb
      Size/MD5:   105728 7507a0e891242e490224be0a7e295a5c
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_powerpc.deb
      Size/MD5:    79486 b9d7a13662462d2ea26bdee58d573861

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_sparc.deb
      Size/MD5:   793280 3b06b5c2728ff2147f1b947b1d028a3c
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_sparc.deb
      Size/MD5:   105222 00abda35533fc22f7737856aa6f2172a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_sparc.deb
      Size/MD5:    79440 6a8bb2ec68388f78fee19e5a2dd4ebdf

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7.diff.gz
      Size/MD5:   254763 e252c8c8e082a2ef7065ff3f8f3ff36f
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7.dsc
      Size/MD5:      675 d2c24e9244d97f58302a21546a25c05d
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1.orig.tar.gz
      Size/MD5:  1593236 5035d9cc90e8033e4eac232ce19a665f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.1-3ubuntu1.7_all.deb
      Size/MD5:   416084 f350b81af9e81420b2350355bebd67b5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_amd64.deb
      Size/MD5:   678474 6ff5a19ddaf92102684ffd6fbe9caa36
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_amd64.deb
      Size/MD5:   109704 fd64d9866b244bfc50c772d1b84dbe39
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_amd64.deb
      Size/MD5:    82224 29594209f52225b09efc32165ebd467c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_i386.deb
      Size/MD5:   609784 207b76849162076880cf7df035c95ccf
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_i386.deb
      Size/MD5:   108892 b187fe59f11f43ba6eb1902c8b2194ed
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_i386.deb
      Size/MD5:    81472 c9716d90bc7e66c036886e3c75b446c5

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_powerpc.deb
      Size/MD5:   683660 ae0e97423560b371aed4e7e9f7734f6f
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_powerpc.deb
      Size/MD5:   109538 80025cfae7d7863ba238f108777fb1b2
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_powerpc.deb
      Size/MD5:    82158 cafc6835a4ae8200ae9d3aa7b2b6e0d9

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_sparc.deb
      Size/MD5:   636180 0db7e64eb2588415504105f4fa475365
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_sparc.deb
      Size/MD5:   109162 44abc1d0e94368383e8261d6d313637e
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_sparc.deb
      Size/MD5:    82522 b4c666024a9747ed8535c47b184512ce

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2.diff.gz
      Size/MD5:   272337 f6744cf3f7ae32628290b9bd68ba813e
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2.dsc
      Size/MD5:      761 736b606ac1afec4657c8516a125595ad
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5.orig.tar.gz
      Size/MD5:  1636886 26cc918028340dc8ceb9c0c4b988d717

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.5-4ubuntu2.2_all.deb
      Size/MD5:   437594 aeeba77731882cd06e97134d4e371b37

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_amd64.deb
      Size/MD5:   712118 a29a8669bac579cf09684f8a12364566
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_amd64.deb
      Size/MD5:   116484 047a2c8738e284bb32aae31023067546
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_amd64.deb
      Size/MD5:    86868 12a12ea3ed545db8ed233c6ad33540df

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_i386.deb
      Size/MD5:   640774 519724b3e19e271dac2ae8ad67b4e58a
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_i386.deb
      Size/MD5:   115722 f6237a5cd5975ac7fefe1a06b7eff7c7
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_i386.deb
      Size/MD5:    86098 4389e8dc194f6a51db84e9a66e9d41a8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_powerpc.deb
      Size/MD5:   728496 7be7c056bb9aa0193939290f7e75ce12
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_powerpc.deb
      Size/MD5:   117040 09b95d8fa9396fa2e0fc5674cd503d2b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_powerpc.deb
      Size/MD5:    87488 9ea28189672205a5b92d8112bc1d5abc

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_sparc.deb
      Size/MD5:   674020 33b1d5e27e08fd1f8b127d9c01b842ca
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_sparc.deb
      Size/MD5:   116282 289c107a2dfb603f030964105a112f21
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_sparc.deb
      Size/MD5:    87454 4cb551b49cb85d08c9d6b9803609dcb7

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2.diff.gz
      Size/MD5:   301024 490e4025cd800e69eeb15f43ffe0fbae
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2.dsc
      Size/MD5:      764 badd1f8b8cc0c40a8e7db4e5710b0d72
    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14.orig.tar.gz
      Size/MD5:  1694713 25a0e4d4b9e673b24c29901bbfbcdb5c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.14-1ubuntu2.2_all.deb
      Size/MD5:   474092 f47722cbc00c6491494570ce4831bf02

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_amd64.deb
      Size/MD5:   715456 df3ce48f7a04eaa62ae2b5ee7f47faa6
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_amd64.deb
      Size/MD5:   111758 49f1243ec4ee3c8667e95ff693dc8157
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_amd64.deb
      Size/MD5:    91990 7d0c2b0050f13f82cb6fac205ad1b02b

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_i386.deb
      Size/MD5:   642572 a8b62680d53fb8fb1a89def6ab235624
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_i386.deb
      Size/MD5:   110902 95debb69cfae20349ad47e86d8e72f28
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_i386.deb
      Size/MD5:    91178 fe55bbb3019ea9d56237f0a0d3ad5802

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_powerpc.deb
      Size/MD5:   728072 3bdfbec516b9a6d4f2038a97537952dd
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_powerpc.deb
      Size/MD5:   112406 762f797a0ecb887188dd9b22d923da0b
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_powerpc.deb
      Size/MD5:    92538 1aeee23bfed61a3d206b6e3825db74fb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_sparc.deb
      Size/MD5:   675466 c536f56f80a177a1cc546b813fbe95fd
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_sparc.deb
      Size/MD5:   111600 57f390b1637d8457e5675fbe0acea928
    http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_sparc.deb
      Size/MD5:    92548 49e901c305196336ab6021838a9ec0fd


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSAUhoSh9+71yA2DNAQL4tAP+IjkULcQVYg8EwmxVYaIU1adwxvYBwSUs
yVdSp9IzF7GlH9Cku26FUuRik6jn2hqwLMIlpzJ8JZYg7wnDOvMuNs31w/cVg+40
yLspK+R7SyhY6A+rCi8MHe5z0Cpi740KLZ8CJzEkXffo4+AGYCs96Qvus1J92gmM
y+N1rSdPv1I=
=0yYp
-----END PGP SIGNATURE-----