A denial of service flaw was found in the way Squid proxy caching server internally processed NULL buffers. A remote, trusted client could use this flaw to cause squid daemon crash (dereference NULL pointer) when processing specially-crafted request. References: [1] http://www.squid-cache.org/Advisories/SQUID-2010_3.txt Upstream patch (against Squid v3.0): [2] http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch Upstream patch (against Squid v3.1): [3] http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch Credit: The vulnerability was discovered by Phil Oester.
This issue affects the versions of the squid package, as shipped with Fedora release of 12 and 13. Please fix.
Created squid tracking bugs for this issue Affects: fedora-all [bug 630445]
update fixing this is already in updates for F13 and updates-testing for F12 https://admin.fedoraproject.org/updates/squid-3.1.7-1.fc13 https://admin.fedoraproject.org/updates/squid-3.1.7-1.fc12.1
correction. those updates are vulnerable. sorry for the confusion.
This issue did NOT affect the versions of the squid package, as shippped with Red Hat Enterprise Linux 3, 4, or 5.
The CVE identifier of CVE-2010-3072 has been assigned to this issue.
Statement: This issue did not affect the version of Squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. It was corrected in Red Hat Enterprise Linux 6 via RHSA-2011:0545.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0545 https://rhn.redhat.com/errata/RHSA-2011-0545.html