========================================================================== Ubuntu Security Notice USN-1713-1 January 31, 2013 squid-cgi vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS Summary: squid-cgi could consume excessive system resources, leading to a denial of service attack on it and other hosted services. Software Description: - squid3: Full featured Web Proxy cache (HTTP proxy) - squid: Internet object cache (WWW proxy cache) Details: It was discovered that squid's cachemgr.cgi was vulnerable to excessive resource use. A remote attacker could exploit this flaw to perform a denial of service attack on the server and other hosted services. (CVE-2012-5643) It was discovered that the patch for CVE-2012-5643 was incorrect. A remote attacker could exploit this flaw to perform a denial of service attack. (CVE-2013-0189) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: squid-cgi 3.1.20-1ubuntu1.1 Ubuntu 12.04 LTS: squid-cgi 3.1.19-1ubuntu3.12.04.2 Ubuntu 11.10: squid-cgi 3.1.14-1ubuntu0.3 Ubuntu 10.04 LTS: squid-cgi 2.7.STABLE7-1ubuntu12.6 In general, a standard system update will make all the necessary changes. Ensure the webserver access controls properly restrict access to cachemgr.cgi. References: http://www.ubuntu.com/usn/usn-1713-1 CVE-2012-5643, CVE-2013-0189 Package Information: https://launchpad.net/ubuntu/+source/squid3/3.1.20-1ubuntu1.1 https://launchpad.net/ubuntu/+source/squid3/3.1.19-1ubuntu3.12.04.2 https://launchpad.net/ubuntu/+source/squid3/3.1.14-1ubuntu0.3 https://launchpad.net/ubuntu/+source/squid/2.7.STABLE7-1ubuntu12.6
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.