| Summary: | <net-proxy/squid-{3.2.12,3.3.7}: "idnsALookup()" DNS Name Handling Buffer Overflow Vulnerability (CVE-2013-4115) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | eras, net-proxy+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/54076/ | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
The versions with the fixes are already in the tree. @maintainers: please ack a stable. @security: We can stabilise =net-proxy/squid-3.2.12. Thank you. Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86. Thanks! (In reply to Chris Reffett from comment #3) > Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64 > arm hppa ia64 ppc ppc64 sparc x86. Thanks! Like this please: Arch teams, please test and mark stable: =net-proxy/squid-3.2.12 Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable x86 stable Stable for HPPA. ppc stable ppc64 stable Another security bump in the meantime: http://www.squid-cache.org/Advisories/SQUID-2013_3.txt We should stabilize =net-proxy/squid-3.2.13 @security: Please let me know how you want to proceed (separate bug? continue here?). Thanks. alpha stable arm stable Continued in bug #476960. GLSA vote: yes CVE-2013-4115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4115): Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request. Added to existing draft. This issue was resolved and addressed in GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml by GLSA coordinator Sergey Popov (pinkbyte). |
From ${URL} : Description A vulnerability has been reported in Squid, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the "idnsALookup()" function (dns_internal.cc) when handling DNS query generation requests and can be exploited to cause a buffer overflow by sending specially crafted HTTP requests. The vulnerability is reported in versions 3.2 through 3.2.11 and versions 3.3 through 3.3.6. Solution: Update to version 3.2.12 or 3.3.7 or apply patch. Provided and/or discovered by: The vendor credits Nathan Hoad, Netbox Blue. Original Advisory: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.