Referenced CVEs:
CVE-2009-2855, CVE-2010-0308
Description:
===========================================================Ubuntu Security Notice USN-901-1 February 16, 2010squid vulnerabilitiesCVE-2009-2855, CVE-2010-0308===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 8.04 LTSUbuntu 8.10Ubuntu 9.04Ubuntu 9.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: squid 2.5.12-4ubuntu2.5Ubuntu 8.04 LTS: squid 2.6.18-1ubuntu3.1Ubuntu 8.10: squid 2.7.STABLE3-1ubuntu2.2Ubuntu 9.04: squid 2.7.STABLE3-4.1ubuntu1.1Ubuntu 9.10: squid 2.7.STABLE6-2ubuntu2.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:It was discovered that Squid incorrectly handled certain auth headers. Aremote attacker could exploit this with a specially-crafted auth headerand cause Squid to go into an infinite loop, resulting in a denial ofservice. This issue only affected Ubuntu 8.10, 9.04 and 9.10.(CVE-2009-2855)It was discovered that Squid incorrectly handled certain DNS packets. Aremote attacker could exploit this with a specially-crafted DNS packetand cause Squid to crash, resulting in a denial of service. (CVE-2010-0308)
More...
