Ubuntu
squid3 package

CVE-2010-0308: DoS (assertion failure) via a crafted DNS packet that only contains header in lucid series

Bug #907686 reported by Mahyuddin Susanto
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid3 (Ubuntu)
Fix Released
High
Unassigned
Nominated for Precise by Mahyuddin Susanto
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned

Bug Description

Description:
lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through
3.1.0.15 allows remote attackers to cause a denial of service (assertion
failure) via a crafted DNS packet that only contains a header.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0308
http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
http://www.ubuntu.com/usn/usn-901-1

Upstream patch:
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch

Mahyuddin Susanto (udienz)
Changed in squid3 (Ubuntu):
status: New → In Progress
assignee: nobody → Mahyuddin Susanto (udienz)
Mahyuddin Susanto (udienz)
security vulnerability: no → yes
Changed in squid3 (Ubuntu):
assignee: Mahyuddin Susanto (udienz) → nobody
status: In Progress → New
Robie Basak (racb)
Changed in squid3 (Ubuntu):
status: New → Triaged
importance: Undecided → High
Mahyuddin Susanto (udienz)
Changed in squid3 (Ubuntu Maverick):
status: New → Fix Released
Changed in squid3 (Ubuntu Natty):
status: New → Fix Released
Changed in squid3 (Ubuntu Oneiric):
status: New → Fix Released
Changed in squid3 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.0.STABLE19-1ubuntu0.2

---------------
squid3 (3.0.STABLE19-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: Fix DoS (assertion failure) via a crafted DNS packet
    that only contains header. (LP: #907686)
    - debian/patches/CVE-2010-0308.dpatch: patch derived from upstream.
    - CVE-2010-0308
  * SECURITY UDPATE: Fix DoS (NULL pointer dereference and daemon crash) via
    crafted packets to the HTCP port. (LP: #907690)
    - debian/patches/CVE-2010-0639.dpatch: patch derived from upstream.
    - CVE-2010-0639
  * SECURITY UPDATE: Fix DoS (memory corruption and daemon restart) or possibly
    have unspecified other impact via a long line in a response by remote
    Gopher servers. (LP: #907687)
    - debian/patches/CVE-2011-3205.dpatch: patch derived from upstream.
    - CVE-2011-3205
 -- Mahyuddin Susanto <email address hidden> Wed, 18 Jan 2012 12:46:59 +0700

Changed in squid3 (Ubuntu Lucid):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.