CVE-2010-2951 and CVE-2010-3072 still exists in Lucid and CVE-2010-2951 still exists in maverick

Bug #718127 reported by Mahyuddin Susanto on 2011-02-13
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid3 (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned

Bug Description

Binary package hint: squid3

squid3 in lucid still having CVE-2010-2951 and CVE-2010-3072, i see the patch doesn't exits in debian/patches/

and in maverick only CVE-2010-2951, and CVE-2010-3072 patch appear in patches

description: updated
Artur Rona (ari-tczew) wrote :

squid3 (3.1.6-1.2ubuntu1) natty; urgency=low

  * Merge from debian unstable. (LP: #717654) Remaining changes:
    - debian/squid3.ufw.profile: Provide ufw profile
  * debian/patches/18-fix-ftbfs-binutils-gold.dpatch: Add sasl2 and kerberos
    library in LDADD to fix FTBFS binutils-gold with --as-needed. (LP: #717653)

squid3 (3.1.6-1.2) unstable; urgency=low

  * Non-maintainer upload.
  * Fix DoS while processing large DNS replies with no IPv6 resolver present
    (CVE-2010-2951) (Closes: #599709)
 -- Mahyuddin Susanto <email address hidden> Sun, 13 Feb 2011 00:43:10 +0700

Changed in squid3 (Ubuntu Natty):
status: New → Fix Released
Mahyuddin Susanto (udienz) wrote :
Micah Gersten (micahg) wrote :

Subscribed ubuntu-security-sponsors since this is a security fix for a stable release at this point.

security vulnerability: no → yes
Jamie Strandboge (jdstrand) wrote :

Mahyuddin, thanks for the debdiffs! The lucid debdiff should use a version of 3.0.STABLE19-1ubuntu0.1 as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. More importantly, the lucid package FTBFS (fails to build from source). It looks like you just copied over the natty patches for these issues and created a source package for lucid. The 3.0 and 3.1 code bases are different and the 3.1 patch for CVE-2010-3072 needs to be adjusted. Please adjust and resubmit, detailing the testing performed.

NAK

Changed in squid3 (Ubuntu Lucid):
assignee: nobody → Mahyuddin Susanto (udienz)
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

ACK maverick patch.

Changed in squid3 (Ubuntu Maverick):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Uploaded maverick package to security PPA. Will publish when it is done building.

Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors. Please resubscribe after updating the lucid patch.

summary: - CVE-2010-2951 and CVE-2010-3072 still exits in Lucid and CVE-2010-2951
- still exits in maverick
+ CVE-2010-2951 and CVE-2010-3072 still exists in Lucid and CVE-2010-2951
+ still exists in maverick
Changed in squid3 (Ubuntu Maverick):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.1.6-1.1ubuntu1.1

---------------
squid3 (3.1.6-1.1ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: Fix DoS while processing large DNS replies with no
    IPv6 resolver present. (LP: #718127)
    - debian/patches/17-CVE-2010-2951.dpatch
    - CVE-2010-2951
    - http://bugs.squid-cache.org/show_bug.cgi?id=3009
 -- Mahyuddin Susanto <email address hidden> Sun, 13 Feb 2011 19:41:58 +0700

Changed in squid3 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Amos Jeffries (yadi) wrote :

2010-2951 is not relevant to the Lucid package (3.0 series) which does not attempt DNS over IPv6.

2010-3072 correct patch for Lucid package version as referenced by the upstream advisory can be found at http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch

Also,
  Please consider 3.1.10 package (now in Natty) for back-porting as a whole to Maverick. There are a great deal of related stability fixes over 3.1.6 which the user base require to prevent indirect problems even if the direct attack vulnerability is fixed.

Changed in squid3 (Ubuntu Lucid):
status: Incomplete → In Progress
Jamie Strandboge (jdstrand) wrote :

Amos, squid3 is a community supported package. If you would like to see an update to 3.1.10 in maverick, please file a new bug and follow https://wiki.ubuntu.com/StableReleaseUpdates to prepare an update. Thanks!

Mahyuddin Susanto (udienz) wrote :

applying patch 01-cf.data.debian to ./ ... ok.
applying patch 02-makefile-defaults to ./ ... ok.
applying patch CVE-2010-3072 to ./ ... ok.

Ready to upload

Changed in squid3 (Ubuntu Lucid):
status: In Progress → New
assignee: Mahyuddin Susanto (udienz) → nobody
Jamie Strandboge (jdstrand) wrote :

Mahyuddin, thank you for the updated patch. It should use 'lucid-security' for the distribution name and had whitespace changes when compared to the upstream patch. It is important to not introduce whitespace changes as future updates may not apply cleanly.

I have adjusted both of these and am uploading now.

Changed in squid3 (Ubuntu Lucid):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.0.STABLE19-1ubuntu0.1

---------------
squid3 (3.0.STABLE19-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix DoS due to wrong string handling. (LP: #718127)
    - debian/patches/CVE-2010-3072.dpatch
    - CVE-2010-3072
    - http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
 -- Mahyuddin Susanto <email address hidden> Thu, 17 Feb 2011 00:06:24 +0700

Changed in squid3 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.