Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389133 (CVE-2011-4096) - <net-proxy/squid-3.1.16 Invalid free DoS vulnerability (CVE-2011-4096)
Summary: <net-proxy/squid-3.1.16 Invalid free DoS vulnerability (CVE-2011-4096)
Alias: CVE-2011-4096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2011-10-31 22:36 UTC by Sean Amoss (RETIRED)
Modified: 2013-09-27 09:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-10-31 22:36:43 UTC
From $URL:

"An invalid free flaw was found in the way Squid proxy caching server
processed DNS requests, where one CNAME record pointed to another CNAME
record pointing to an empty A-record. A remote attacker could issue a
specially-crafted DNS request, leading to denial of service (squid
daemon abort)."

Fixed in Squid 3.1.16.
Comment 1 Eray Aslan gentoo-dev 2011-11-01 11:02:07 UTC
+*squid-3.1.16 (01 Nov 2011)
+  01 Nov 2011; Eray Aslan <> +squid-3.1.16.ebuild:
+  non-maintainer version bump - security bug #389133

@security:  Please test and stabilize squid-3.1.16.  Thank you.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2011-11-01 11:05:15 UTC
Thanks eras. 

Arches, please test and mark stable:
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 3 Homer Parker (RETIRED) gentoo-dev 2011-11-01 14:04:21 UTC
AMD64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-02 14:11:47 UTC
Stable for HPPA.
Comment 5 Andreas Schürch gentoo-dev 2011-11-05 15:33:53 UTC
x86 stable, thanks.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2011-11-06 13:39:34 UTC
ppc done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-11-13 15:46:21 UTC
alpha/ia64/sparc stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-11-18 06:16:29 UTC
CVE-2011-4096 (
  The idnsGrokReply function in Squid before 3.1.16 does not properly free
  memory, which allows remote attackers to cause a denial of service (daemon
  abort) via a DNS reply containing a CNAME record that references another
  CNAME record that contains an empty A record.
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2011-12-18 20:54:36 UTC
ppc64 done
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2011-12-18 20:57:38 UTC
Thanks everyone. 

@security: please vote for GLSA.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-18 21:12:07 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:09:10 UTC
Vote: Yes. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 09:52:09 UTC
This issue was resolved and addressed in
 GLSA 201309-22 at
by GLSA coordinator Sergey Popov (pinkbyte).