Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0383 -- [Ubuntu] Squid vulnerability 16 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Squid Publisher: Ubuntu Operating System: Ubuntu Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2008-1612 CVE-2007-6239 Ref: ESB-2008.0362 AL-2007.0125 Original Bulletin: http://www.ubuntu.com/usn/usn-601-1 - --------------------------BEGIN INCLUDED TEXT-------------------- =========================================================== Ubuntu Security Notice USN-601-1 April 14, 2008 squid vulnerability CVE-2008-1612 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: squid 2.5.12-4ubuntu2.4 Ubuntu 6.10: squid 2.6.1-3ubuntu1.7 Ubuntu 7.04: squid 2.6.5-4ubuntu2.2 Ubuntu 7.10: squid 2.6.14-1ubuntu2.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Squid did not perform proper bounds checking when processing cache update replies. A remote authenticated user may be able to trigger an assertion error and cause a denial of service. This vulnerability is due to an incorrect fix for CVE-2007-6239. (CVE-2008-1612) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4.diff.gz Size/MD5: 247667 05b709ab6c6ced664fca3eb8c8534e20 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4.dsc Size/MD5: 666 7da288841f7d6c6f8c662a389ecc334e http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz Size/MD5: 1407261 1fc92afd1e858a51a2ebeba28cb76656 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.4_all.deb Size/MD5: 203332 269c6ad6ebe5541d0b8880dfa305d56c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_amd64.deb Size/MD5: 844138 8281589e7f42bb8aabd0a72f5bc2878d http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_amd64.deb Size/MD5: 106032 d631e04e0b10217ca8fd38a52a67d89a http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_amd64.deb Size/MD5: 79522 e81158cf4b36e69daacd77c58ce8faab i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_i386.deb Size/MD5: 756536 c347c37b1d33310600d2cd19a5e1b81d http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_i386.deb Size/MD5: 104858 e0ca641be3aa8770de87b80c9768b7ae http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_i386.deb Size/MD5: 78366 7dc911b739fbe19027d29f8be6c783c0 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_powerpc.deb Size/MD5: 839094 adbe397722a3fa1ea87b99f69ae7be72 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_powerpc.deb Size/MD5: 105728 7507a0e891242e490224be0a7e295a5c http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_powerpc.deb Size/MD5: 79486 b9d7a13662462d2ea26bdee58d573861 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.4_sparc.deb Size/MD5: 793280 3b06b5c2728ff2147f1b947b1d028a3c http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.4_sparc.deb Size/MD5: 105222 00abda35533fc22f7737856aa6f2172a http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.4_sparc.deb Size/MD5: 79440 6a8bb2ec68388f78fee19e5a2dd4ebdf Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7.diff.gz Size/MD5: 254763 e252c8c8e082a2ef7065ff3f8f3ff36f http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7.dsc Size/MD5: 675 d2c24e9244d97f58302a21546a25c05d http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1.orig.tar.gz Size/MD5: 1593236 5035d9cc90e8033e4eac232ce19a665f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.1-3ubuntu1.7_all.deb Size/MD5: 416084 f350b81af9e81420b2350355bebd67b5 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_amd64.deb Size/MD5: 678474 6ff5a19ddaf92102684ffd6fbe9caa36 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_amd64.deb Size/MD5: 109704 fd64d9866b244bfc50c772d1b84dbe39 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_amd64.deb Size/MD5: 82224 29594209f52225b09efc32165ebd467c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_i386.deb Size/MD5: 609784 207b76849162076880cf7df035c95ccf http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_i386.deb Size/MD5: 108892 b187fe59f11f43ba6eb1902c8b2194ed http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_i386.deb Size/MD5: 81472 c9716d90bc7e66c036886e3c75b446c5 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_powerpc.deb Size/MD5: 683660 ae0e97423560b371aed4e7e9f7734f6f http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_powerpc.deb Size/MD5: 109538 80025cfae7d7863ba238f108777fb1b2 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_powerpc.deb Size/MD5: 82158 cafc6835a4ae8200ae9d3aa7b2b6e0d9 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.1-3ubuntu1.7_sparc.deb Size/MD5: 636180 0db7e64eb2588415504105f4fa475365 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.1-3ubuntu1.7_sparc.deb Size/MD5: 109162 44abc1d0e94368383e8261d6d313637e http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.1-3ubuntu1.7_sparc.deb Size/MD5: 82522 b4c666024a9747ed8535c47b184512ce Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2.diff.gz Size/MD5: 272337 f6744cf3f7ae32628290b9bd68ba813e http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2.dsc Size/MD5: 761 736b606ac1afec4657c8516a125595ad http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5.orig.tar.gz Size/MD5: 1636886 26cc918028340dc8ceb9c0c4b988d717 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.5-4ubuntu2.2_all.deb Size/MD5: 437594 aeeba77731882cd06e97134d4e371b37 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_amd64.deb Size/MD5: 712118 a29a8669bac579cf09684f8a12364566 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_amd64.deb Size/MD5: 116484 047a2c8738e284bb32aae31023067546 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_amd64.deb Size/MD5: 86868 12a12ea3ed545db8ed233c6ad33540df i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_i386.deb Size/MD5: 640774 519724b3e19e271dac2ae8ad67b4e58a http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_i386.deb Size/MD5: 115722 f6237a5cd5975ac7fefe1a06b7eff7c7 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_i386.deb Size/MD5: 86098 4389e8dc194f6a51db84e9a66e9d41a8 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_powerpc.deb Size/MD5: 728496 7be7c056bb9aa0193939290f7e75ce12 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_powerpc.deb Size/MD5: 117040 09b95d8fa9396fa2e0fc5674cd503d2b http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_powerpc.deb Size/MD5: 87488 9ea28189672205a5b92d8112bc1d5abc sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.5-4ubuntu2.2_sparc.deb Size/MD5: 674020 33b1d5e27e08fd1f8b127d9c01b842ca http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.5-4ubuntu2.2_sparc.deb Size/MD5: 116282 289c107a2dfb603f030964105a112f21 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.5-4ubuntu2.2_sparc.deb Size/MD5: 87454 4cb551b49cb85d08c9d6b9803609dcb7 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2.diff.gz Size/MD5: 301024 490e4025cd800e69eeb15f43ffe0fbae http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2.dsc Size/MD5: 764 badd1f8b8cc0c40a8e7db4e5710b0d72 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14.orig.tar.gz Size/MD5: 1694713 25a0e4d4b9e673b24c29901bbfbcdb5c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.14-1ubuntu2.2_all.deb Size/MD5: 474092 f47722cbc00c6491494570ce4831bf02 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_amd64.deb Size/MD5: 715456 df3ce48f7a04eaa62ae2b5ee7f47faa6 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_amd64.deb Size/MD5: 111758 49f1243ec4ee3c8667e95ff693dc8157 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_amd64.deb Size/MD5: 91990 7d0c2b0050f13f82cb6fac205ad1b02b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_i386.deb Size/MD5: 642572 a8b62680d53fb8fb1a89def6ab235624 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_i386.deb Size/MD5: 110902 95debb69cfae20349ad47e86d8e72f28 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_i386.deb Size/MD5: 91178 fe55bbb3019ea9d56237f0a0d3ad5802 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_powerpc.deb Size/MD5: 728072 3bdfbec516b9a6d4f2038a97537952dd http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_powerpc.deb Size/MD5: 112406 762f797a0ecb887188dd9b22d923da0b http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_powerpc.deb Size/MD5: 92538 1aeee23bfed61a3d206b6e3825db74fb sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.14-1ubuntu2.2_sparc.deb Size/MD5: 675466 c536f56f80a177a1cc546b813fbe95fd http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.14-1ubuntu2.2_sparc.deb Size/MD5: 111600 57f390b1637d8457e5675fbe0acea928 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.14-1ubuntu2.2_sparc.deb Size/MD5: 92548 49e901c305196336ab6021838a9ec0fd - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSAUhoSh9+71yA2DNAQL4tAP+IjkULcQVYg8EwmxVYaIU1adwxvYBwSUs yVdSp9IzF7GlH9Cku26FUuRik6jn2hqwLMIlpzJ8JZYg7wnDOvMuNs31w/cVg+40 yLspK+R7SyhY6A+rCi8MHe5z0Cpi740KLZ8CJzEkXffo4+AGYCs96Qvus1J92gmM y+N1rSdPv1I= =0yYp -----END PGP SIGNATURE-----