SB2011090608 - Input validation error in Squid-cache Squid

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2011-3205)

The vulnerability allows remote Gopher servers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response.

Remediation

Install update from vendor's website.

References

• http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065534.html
• http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00012.html
• http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00013.html
• http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
• http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
• http://openwall.com/lists/oss-security/2011/08/29/2
• http://openwall.com/lists/oss-security/2011/08/30/4
• http://openwall.com/lists/oss-security/2011/08/30/8
• http://secunia.com/advisories/45805
• http://secunia.com/advisories/45906
• http://secunia.com/advisories/45920
• http://secunia.com/advisories/45965
• http://secunia.com/advisories/46029
• http://securitytracker.com/id?1025981
• http://www.debian.org/security/2011/dsa-2304
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:150
• http://www.osvdb.org/74847
• http://www.redhat.com/support/errata/RHSA-2011-1293.html
• http://www.securityfocus.com/bid/49356
• http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
• http://www.squid-cache.org/Versions/v2/2.HEAD/changesets/12710.patch
• http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch
• http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch
• http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch
• https://bugzilla.redhat.com/show_bug.cgi?id=734583