Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Squid | Squid-cache | 3.0.stable1 (including) | 3.0.stable1 (including) |
| Squid | Squid-cache | 3.0.stable2 (including) | 3.0.stable2 (including) |
| Squid | Squid-cache | 3.0.stable3 (including) | 3.0.stable3 (including) |
| Squid | Squid-cache | 3.0.stable4 (including) | 3.0.stable4 (including) |
| Squid | Squid-cache | 3.0.stable5 (including) | 3.0.stable5 (including) |
| Squid | Squid-cache | 3.0.stable6 (including) | 3.0.stable6 (including) |
| Squid | Squid-cache | 3.0.stable7 (including) | 3.0.stable7 (including) |
| Squid | Squid-cache | 3.0.stable8 (including) | 3.0.stable8 (including) |
| Squid | Squid-cache | 3.0.stable9 (including) | 3.0.stable9 (including) |
| Squid | Squid-cache | 3.0.stable10 (including) | 3.0.stable10 (including) |
| Squid | Squid-cache | 3.0.stable11 (including) | 3.0.stable11 (including) |
| Squid | Squid-cache | 3.0.stable11-rc1 (including) | 3.0.stable11-rc1 (including) |
| Squid | Squid-cache | 3.0.stable12 (including) | 3.0.stable12 (including) |
| Squid | Squid-cache | 3.0.stable13 (including) | 3.0.stable13 (including) |
| Squid | Squid-cache | 3.0.stable14 (including) | 3.0.stable14 (including) |
| Squid | Squid-cache | 3.0.stable15 (including) | 3.0.stable15 (including) |
| Squid | Squid-cache | 3.0.stable16 (including) | 3.0.stable16 (including) |
| Squid | Squid-cache | 3.0.stable16-rc1 (including) | 3.0.stable16-rc1 (including) |
| Squid | Squid-cache | 3.0.stable17 (including) | 3.0.stable17 (including) |
| Squid | Squid-cache | 3.0.stable18 (including) | 3.0.stable18 (including) |
| Squid | Squid-cache | 3.0.stable19 (including) | 3.0.stable19 (including) |
| Squid | Squid-cache | 3.0.stable20 (including) | 3.0.stable20 (including) |
| Squid | Squid-cache | 3.0.stable21 (including) | 3.0.stable21 (including) |
| Squid | Squid-cache | 3.0.stable22 (including) | 3.0.stable22 (including) |
| Squid | Squid-cache | 3.0.stable23 (including) | 3.0.stable23 (including) |
| Squid | Squid-cache | 3.0.stable24 (including) | 3.0.stable24 (including) |
| Squid | Squid-cache | 3.0.stable25 (including) | 3.0.stable25 (including) |
| Red Hat Enterprise Linux 6 | RedHat | squid-7:3.1.10-1.el6_1.1 | * |
| Squid | Ubuntu | upstream | * |
| Squid3 | Ubuntu | hardy | * |
| Squid3 | Ubuntu | lucid | * |
| Squid3 | Ubuntu | maverick | * |
| Squid3 | Ubuntu | natty | * |
| Squid3 | Ubuntu | oneiric | * |
| Squid3 | Ubuntu | upstream | * |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065534.html
- http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
- http://openwall.com/lists/oss-security/2011/08/29/2
- http://openwall.com/lists/oss-security/2011/08/30/4
- http://openwall.com/lists/oss-security/2011/08/30/8
- http://secunia.com/advisories/45805
- http://secunia.com/advisories/45906
- http://secunia.com/advisories/45920
- http://secunia.com/advisories/45965
- http://secunia.com/advisories/46029
- http://securitytracker.com/id?1025981
- http://www.debian.org/security/2011/dsa-2304
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:150
- http://www.osvdb.org/74847
- http://www.redhat.com/support/errata/RHSA-2011-1293.html
- http://www.securityfocus.com/bid/49356
- http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
- http://www.squid-cache.org/Versions/v2/2.HEAD/changesets/12710.patch
- http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch
- http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch
- http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch
- https://bugzilla.redhat.com/show_bug.cgi?id=734583
- http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065534.html
- http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
- http://openwall.com/lists/oss-security/2011/08/29/2
- http://openwall.com/lists/oss-security/2011/08/30/4
- http://openwall.com/lists/oss-security/2011/08/30/8
- http://secunia.com/advisories/45805
- http://secunia.com/advisories/45906
- http://secunia.com/advisories/45920
- http://secunia.com/advisories/45965
- http://secunia.com/advisories/46029
- http://securitytracker.com/id?1025981
- http://www.debian.org/security/2011/dsa-2304
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:150
- http://www.osvdb.org/74847
- http://www.redhat.com/support/errata/RHSA-2011-1293.html
- http://www.securityfocus.com/bid/49356
- http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
- http://www.squid-cache.org/Versions/v2/2.HEAD/changesets/12710.patch
- http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch
- http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch
- http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch
- https://bugzilla.redhat.com/show_bug.cgi?id=734583