=========================================================== Ubuntu Security Notice USN-901-1 February 16, 2010 squid vulnerabilities CVE-2009-2855, CVE-2010-0308 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: squid 2.5.12-4ubuntu2.5 Ubuntu 8.04 LTS: squid 2.6.18-1ubuntu3.1 Ubuntu 8.10: squid 2.7.STABLE3-1ubuntu2.2 Ubuntu 9.04: squid 2.7.STABLE3-4.1ubuntu1.1 Ubuntu 9.10: squid 2.7.STABLE6-2ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Squid incorrectly handled certain auth headers. A remote attacker could exploit this with a specially-crafted auth header and cause Squid to go into an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 8.10, 9.04 and 9.10. (CVE-2009-2855) It was discovered that Squid incorrectly handled certain DNS packets. A remote attacker could exploit this with a specially-crafted DNS packet and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5.diff.gz Size/MD5: 248533 2454656350ab9b5410483e80a79128c6 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5.dsc Size/MD5: 675 fd131c2b5c03f21f497f31b69c2eae06 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz Size/MD5: 1407261 1fc92afd1e858a51a2ebeba28cb76656 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.5_all.deb Size/MD5: 203524 2455400b6eb3805ff0c1d2392068178f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_amd64.deb Size/MD5: 844242 1afcf81c42b19962cdd5365bc5b6aa69 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_amd64.deb Size/MD5: 106136 6ee8e11da7009f677e4fd30e9b047fe7 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_amd64.deb Size/MD5: 79628 d7ecffbbf1a63b895773920663c4aef4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_i386.deb Size/MD5: 756608 79994c8370fc139cb5a551c4997c5870 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_i386.deb Size/MD5: 104932 b8f0b74ce627f661023a323373993284 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_i386.deb Size/MD5: 78476 659174c97acab076331616e189f8c2fb powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_powerpc.deb Size/MD5: 839082 ee00e2ff00fd02a521e76acb9a53feda http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_powerpc.deb Size/MD5: 105826 d9a3baf35ddb005d446fdae238beffaa http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_powerpc.deb Size/MD5: 79588 b96f5eb6f8b36b9e7984876f4fe87033 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_sparc.deb Size/MD5: 793288 e0229f7b2eeac59292bd1e72196f719b http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_sparc.deb Size/MD5: 105312 12b27303a17ddbf229563d664fc40f01 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_sparc.deb Size/MD5: 79540 9d6e00216f18b6c151d0870b5f916b81 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1.diff.gz Size/MD5: 300822 a117f6c4aca9a0a1c592f446b7fe04fd http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1.dsc Size/MD5: 806 3619367bb8824288a5f4c58a51ddc3b2 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18.orig.tar.gz Size/MD5: 1725660 d7ff75f7b75ba7bc28ea453fe4b94434 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.18-1ubuntu3.1_all.deb Size/MD5: 482290 21e970822bc7e4f3f0eb62a82857dd62 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_amd64.deb Size/MD5: 715890 ccfb79671e52658b060657b60cceff30 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_amd64.deb Size/MD5: 114594 d21ec960f3a5fc29349e6a31b7a847a8 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_amd64.deb Size/MD5: 94414 514e5336f1cc498b35a28e8dd7b9246a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_i386.deb Size/MD5: 642908 437bb9c1048db9d58cbc7203c2b702f5 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_i386.deb Size/MD5: 113692 2133467e47fe5910f67255843509b073 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_i386.deb Size/MD5: 93528 61f7d6c8eacd5ec8aba6560a77946604 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_lpia.deb Size/MD5: 644896 45553d97b6a7b9fe30f88a29d31be6ad http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_lpia.deb Size/MD5: 113548 6cf3239380c78738599f279dba36b5b5 http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_lpia.deb Size/MD5: 93440 bdea3a1d1303bf8917a768490b6c54bb powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_powerpc.deb Size/MD5: 729018 5e12656ba78bd89104735458d4dcc680 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_powerpc.deb Size/MD5: 115460 e120d04274723cad6da7fd9e6c6ae481 http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_powerpc.deb Size/MD5: 95054 f2cad2324cf454faa0d9b4f639a7f782 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/squid/squid_2.6.18-1ubuntu3.1_sparc.deb Size/MD5: 669852 98a34a8a069fc0cb8d01fc71b6eca3bd http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.6.18-1ubuntu3.1_sparc.deb Size/MD5: 114158 6912e4098c27d0c41e8e214273a3a485 http://ports.ubuntu.com/pool/universe/s/squid/squidclient_2.6.18-1ubuntu3.1_sparc.deb Size/MD5: 94658 8e425faa823c00d421c85b8b9f70f165 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2.diff.gz Size/MD5: 304074 8d6595b133476ebdfd500b41c373618b http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2.dsc Size/MD5: 1253 64d9293267b6958dd3d0ed102c6ee618 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz Size/MD5: 1782040 a4d7608696e2b617aa5853c7d23e25b0 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-1ubuntu2.2_all.deb Size/MD5: 496014 7c0717d8f7c7f586e0f5359c3ad81d28 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_amd64.deb Size/MD5: 771770 ff19be00b375719b740c8aee4687c284 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_amd64.deb Size/MD5: 120016 228e7986ffc3e50a0661d338b283d8ea i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_i386.deb Size/MD5: 695860 dfcc70857b10eaa2a111f03829c2190d http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_i386.deb Size/MD5: 118776 7be15db3887a81291236beaa353ebdf5 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_lpia.deb Size/MD5: 694110 a2bdd32ad4625be13a75b40344cd3b5b http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_lpia.deb Size/MD5: 118680 b37761349524ac1e81a28dd248be294a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_powerpc.deb Size/MD5: 778254 456062a86f9a85e26bdbe5cbb930b0f1 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_powerpc.deb Size/MD5: 120594 fab58afccbd4536a5a08517a88d05212 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.2_sparc.deb Size/MD5: 719234 c6a43b6bf15a8dfbc4981266d06e1da8 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.2_sparc.deb Size/MD5: 119536 8e45754fddb4517ee1a0441d98680fb2 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1.diff.gz Size/MD5: 309541 c0849f64ed73fe6e0faa903f02cb5e0c http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1.dsc Size/MD5: 1261 c857a6a4117f69d074ac78a3085f75f1 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz Size/MD5: 1782040 a4d7608696e2b617aa5853c7d23e25b0 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-4.1ubuntu1.1_all.deb Size/MD5: 496694 23bf755c15cf1c025879e0a8a4ff1ddb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_amd64.deb Size/MD5: 772966 eb3740e568636cabfd59e79236217fad http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_amd64.deb Size/MD5: 120732 78c8d8fb946a94f2d69be15a77864c07 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_i386.deb Size/MD5: 696842 78df80b53e8af1bbc1b13221206ae72e http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_i386.deb Size/MD5: 119434 7a5ba2ac5c44505866da1ad2358cbe42 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_lpia.deb Size/MD5: 695448 301a11d0423ceef12b1c1a321ccac364 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_lpia.deb Size/MD5: 119352 f3bd8c65af58b76c357d244688f3cd16 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_powerpc.deb Size/MD5: 779592 daa4786247e98d9beaedfb496663ecbd http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_powerpc.deb Size/MD5: 121282 26beb55ede0cb6ba700579e5313f3a43 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-4.1ubuntu1.1_sparc.deb Size/MD5: 719760 2b18b83fa554dc26aa6dfe4bbebec018 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-4.1ubuntu1.1_sparc.deb Size/MD5: 120200 e31f9d6dfdb8c03912e52eb5945bd5cf Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1.diff.gz Size/MD5: 304537 e1bc8245ae44b54b879ac9387f8e5d43 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1.dsc Size/MD5: 1272 e220c14c3b7128a5c429a474df9d04a0 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6.orig.tar.gz Size/MD5: 1786189 b6bcacd9c58e6e9e18d0ff44d20c50d9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE6-2ubuntu2.1_all.deb Size/MD5: 351776 295f7d973a4213f26bfee7f29204daf9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_amd64.deb Size/MD5: 815802 85cee789f10e319c608e599eed958717 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_amd64.deb Size/MD5: 122986 5b389450e481b24aaf120aaa468679c6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_i386.deb Size/MD5: 764152 b285560419935f5ccbe7230e994e7f4c http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_i386.deb Size/MD5: 122142 5014ab2ae281f5b7d8e3954bcbaa7117 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_lpia.deb Size/MD5: 762270 920c4de6c29dfc31b006dccf00976059 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_lpia.deb Size/MD5: 121928 4e41197bcd57396933d69c3b74c9e81d powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_powerpc.deb Size/MD5: 829778 df71fb6e967608eda2e40f6e72f4e2ab http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_powerpc.deb Size/MD5: 123804 96c3da7783abd1f1355bc453375c5f91 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE6-2ubuntu2.1_sparc.deb Size/MD5: 843590 b07c87d2ffb5f4b059842c3a1f228704 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE6-2ubuntu2.1_sparc.deb Size/MD5: 123462 4cb8909dce8561e30a6ccb4d7c7b75dc