USN-901-1: Squid vulnerabilities

February 16th, 2010 • RelatedFiled Under
Referenced CVEs: 
CVE-2009-2855, CVE-2010-0308

Description: 
===========================================================
Ubuntu Security Notice USN-901-1 February 16, 2010
squid vulnerabilities
CVE-2009-2855, CVE-2010-0308
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
squid 2.5.12-4ubuntu2.5

Ubuntu 8.04 LTS:
squid 2.6.18-1ubuntu3.1

Ubuntu 8.10:
squid 2.7.STABLE3-1ubuntu2.2

Ubuntu 9.04:
squid 2.7.STABLE3-4.1ubuntu1.1

Ubuntu 9.10:
squid 2.7.STABLE6-2ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Squid incorrectly handled certain auth headers. A
remote attacker could exploit this with a specially-crafted auth header
and cause Squid to go into an infinite loop, resulting in a denial of
service. This issue only affected Ubuntu 8.10, 9.04 and 9.10.
(CVE-2009-2855)

It was discovered that Squid incorrectly handled certain DNS packets. A
remote attacker could exploit this with a specially-crafted DNS packet
and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308)

Post a Response

You must be logged in to post a comment.