From ${URL} : Description A vulnerability has been reported in Squid, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the "idnsALookup()" function (dns_internal.cc) when handling DNS query generation requests and can be exploited to cause a buffer overflow by sending specially crafted HTTP requests. The vulnerability is reported in versions 3.2 through 3.2.11 and versions 3.3 through 3.3.6. Solution: Update to version 3.2.12 or 3.3.7 or apply patch. Provided and/or discovered by: The vendor credits Nathan Hoad, Netbox Blue. Original Advisory: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
The versions with the fixes are already in the tree. @maintainers: please ack a stable.
@security: We can stabilise =net-proxy/squid-3.2.12. Thank you.
Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86. Thanks!
(In reply to Chris Reffett from comment #3) > Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64 > arm hppa ia64 ppc ppc64 sparc x86. Thanks! Like this please: Arch teams, please test and mark stable: =net-proxy/squid-3.2.12 Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
amd64 stable
x86 stable
Stable for HPPA.
ppc stable
ppc64 stable
Another security bump in the meantime: http://www.squid-cache.org/Advisories/SQUID-2013_3.txt We should stabilize =net-proxy/squid-3.2.13 @security: Please let me know how you want to proceed (separate bug? continue here?). Thanks.
alpha stable
arm stable
Continued in bug #476960.
GLSA vote: yes
CVE-2013-4115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4115): Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request.
Added to existing draft.
This issue was resolved and addressed in GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml by GLSA coordinator Sergey Popov (pinkbyte).
