From secunia security advisor at $URL: Description: The vulnerability is caused due to a boundary error when processing Gopher responses and can be exploited to cause a buffer overflow via an overly long string. Successful exploitation may allow execution of arbitrary code. Solution: Update to version 3.0.STABLE26 or 3.1.15.
all member of net-proxy herd are away atm. I want CC Eray; he is the committers of last version[1] available in tree, so, probably he wants take care of this bump. [1]: 29 Apr 2011; Eray Aslan <eras@gentoo.org> +squid-3.1.12.ebuild, +files/squid-3.1.12-gentoo.patch: Non-maintainer version bump - bug #362049
+*squid-3.1.15 (31 Aug 2011) + + 31 Aug 2011; Eray Aslan <eras@gentoo.org> +squid-3.1.15.ebuild, + +files/squid-3.1.15-gentoo.patch: + version bump - security bug #381065 +
Great, thanks Eray for your extra-works ;) arches, please test and mark stable : =net-proxy/squid-3.1.15 target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 ok
AMD64; ditto Ago
+ 01 Sep 2011; Tony Vroon <chainsaw@gentoo.org> squid-3.1.15.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #381065.
Stable for HPPA.
ppc/ppc64 stable
alpha/arm/ia64/sparc/x86 stable
Thanks, folks. Added to existing GLSA request.
CVE-2011-3205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3205): Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression.
This issue was resolved and addressed in GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml by GLSA coordinator Tim Sammut (underling).