"An invalid free flaw was found in the way Squid proxy caching server
processed DNS requests, where one CNAME record pointed to another CNAME
record pointing to an empty A-record. A remote attacker could issue a
specially-crafted DNS request, leading to denial of service (squid
Fixed in Squid 3.1.16.
+*squid-3.1.16 (01 Nov 2011)
+ 01 Nov 2011; Eray Aslan <email@example.com> +squid-3.1.16.ebuild:
+ non-maintainer version bump - security bug #389133
@security: Please test and stabilize squid-3.1.16. Thank you.
Arches, please test and mark stable:
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
x86 stable, thanks.
The idnsGrokReply function in Squid before 3.1.16 does not properly free
memory, which allows remote attackers to cause a denial of service (daemon
abort) via a DNS reply containing a CNAME record that references another
CNAME record that contains an empty A record.
@security: please vote for GLSA.
Thanks, folks. GLSA Vote: yes.
Vote: Yes. GLSA request filed.
This issue was resolved and addressed in
GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml
by GLSA coordinator Sergey Popov (pinkbyte).