CVE-2013-4115
Published: 9 August 2013
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request.
Notes
Author | Note |
---|---|
mdeslaur | this only affects 3.2+ although upstream has a patch for older versions, 3.1 and older perform URL validation before hitting the affected code, so they aren't vulnerable to the security issue. saucy has vulnerable version in -proposed |
Priority
Status
Package | Release | Status |
---|---|---|
squid3 Launchpad, Ubuntu, Debian |
upstream |
Released
(3.2.12,3.3.7)
|
lucid |
Not vulnerable
(3.0.STABLE19-1ubuntu0.2)
|
|
precise |
Not vulnerable
(3.1.19-1ubuntu3.12.04.2)
|
|
quantal |
Not vulnerable
(3.1.20-1ubuntu1.1)
|
|
raring |
Not vulnerable
(3.1.20-1ubuntu3)
|
|
saucy |
Not vulnerable
(3.3.8-1ubuntu1)
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9200.patch (3.0) upstream: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch (3.1) upstream: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12587.patch (3.3) |