1. Ubuntu Security Notices
  2. USN-1713-1

USN-1713-1: Squid vulnerabilities

Publication date

31 January 2013

Overview

squid-cgi could consume excessive system resources, leading to a denial of service attack on it and other hosted services.

Releases

Packages

  • squid - Internet object cache (WWW proxy cache)
  • squid3 - Full featured Web Proxy cache (HTTP proxy)

Details

It was discovered that squid’s cachemgr.cgi was vulnerable to excessive
resource use. A remote attacker could exploit this flaw to perform a denial
of service attack on the server and other hosted services. (CVE-2012-5643)

It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack. (CVE-2013-0189)

It was discovered that squid’s cachemgr.cgi was vulnerable to excessive
resource use. A remote attacker could exploit this flaw to perform a denial
of service attack on the server and other hosted services. (CVE-2012-5643)

It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack. (CVE-2013-0189)

Update instructions

In general, a standard system update will make all the necessary changes. Ensure the webserver access controls properly restrict access to cachemgr.cgi.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
12.10 quantal squid-cgi –  3.1.20-1ubuntu1.1
12.04 precise squid-cgi –  3.1.19-1ubuntu3.12.04.2
11.10 oneiric squid-cgi –  3.1.14-1ubuntu0.3
10.04 lucid squid-cgi –  2.7.STABLE7-1ubuntu12.6

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›