Some security issues have been reported in squidGuard, which can be
exploited by malicious people to bypass certain security
1) A boundary error in sgLog.c can be exploited to put the
application in emergency mode and disable the filter via an overly
long URL containing multiple '/' characters.
2) Two errors in the processing of overly long URLs can be exploited
to bypass the URL filter.
The security issues are reported in versions 1.3 and 1.4. Prior
versions may also be affected.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Maintainers, please provide an ebuild that includes the said patches.
*** Bug 290981 has been marked as a duplicate of this bug. ***
Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote
attackers to cause a denial of service (application hang or loss of
blocking functionality) via a long URL with many / (slash)
characters, related to "emergency mode."
Multiple buffer overflows in squidGuard 1.4 allow remote attackers to
bypass intended URL blocking via a long URL, related to (1) the
relationship between a certain buffer size in squidGuard and a
certain buffer size in Squid and (2) a redirect URL that contains
information about the originally requested URL.
Patch 20091019 was already applied in version 1.4-r3, see vsnprintf.patch.
Second patch has been imported in our tree as upstream-fixes.patch, although the quality of this patch is dubious.
Please mark squid-1.4-r4 as stable.
amd64/x86 stable, all arches done.
sorry... my script is running insane
Stable for PPC.
GLSA vote: no.
NO too, closing