Candidate: CVE-2013-4115
PublicDate: 2013-08-09 22:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115
 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
Description:
 Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2
 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a
 denial of service (memory corruption and server termination) via a long
 name in a DNS lookup request.
Ubuntu-Description:
Notes:
 mdeslaur> this only affects 3.2+
 mdeslaur> although upstream has a patch for older versions, 3.1 and older
 mdeslaur> perform URL validation before hitting the affected code, so
 mdeslaur> they aren't vulnerable to the security issue.
 mdeslaur> saucy has vulnerable version in -proposed
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716743
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_squid3:
 upstream: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9200.patch (3.0)
 upstream: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch (3.1)
 upstream: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12587.patch (3.3)
upstream_squid3: released (3.2.12,3.3.7)
lucid_squid3: not-affected (3.0.STABLE19-1ubuntu0.2)
precise_squid3: not-affected (3.1.19-1ubuntu3.12.04.2)
quantal_squid3: not-affected (3.1.20-1ubuntu1.1)
raring_squid3: not-affected (3.1.20-1ubuntu3)
devel_squid3: not-affected (3.3.8-1ubuntu1)