Bug 750316 (CVE-2011-4096) - CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
Summary: CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4096
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 750321 755016 755017 844301
Blocks: 750322
TreeView+ depends on / blocked
 
Reported: 2011-10-31 17:17 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 22:02:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1791 normal SHIPPED_LIVE Moderate: squid security update 2011-12-07 02:24:22 UTC

Description Jan Lieskovsky 2011-10-31 17:17:57 UTC
An invalid free flaw was found in the way Squid proxy caching server processed DNS requests, where one CNAME record pointed to another CNAME record pointing to an empty A-record. A remote attacker could issue a specially-crafted DNS request, leading to denial of service (squid daemon abort).

Upstream bug report:
[1] http://bugs.squid-cache.org/show_bug.cgi?id=3237

Relevant upstream patch:
[2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10384

References:
[3] http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html
[4] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c4
[5] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c5

Comment 1 Jan Lieskovsky 2011-10-31 17:36:24 UTC
This issue affects the versions of the squid package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-10-31 17:37:18 UTC
Created squid tracking bugs for this issue

Affects: fedora-all [bug 750321]

Comment 3 Jan Lieskovsky 2011-10-31 18:06:28 UTC
CVE request:
[6] http://www.openwall.com/lists/oss-security/2011/10/31/5

Comment 4 Henrik Nordström 2011-10-31 20:35:41 UTC
CVE-2011-4096 has been assigned to this issue.

Comment 5 Jan Lieskovsky 2011-11-01 11:34:23 UTC
This issue is scheduled to be corrected in the following squid package updates:
1) squid-3.1.16-1.fc14 for Fedora 14, and
2) squid-3.1.16-1.fc15 for Fedora 15.

Particular updates have been pushed to relevant -testing repositories and upon required testing is complete, they will be pushed to related -stable repositories.

Comment 7 Fedora Update System 2011-11-17 23:32:03 UTC
squid-3.1.16-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2011-11-17 23:38:49 UTC
squid-3.1.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Ramon de C Valle 2011-11-18 14:38:03 UTC
Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include IPv6 support. This issue was introduced with the addition of IPv6 support in Squid 3.1 (in the changes made to the idnsGrokReply function).

Comment 10 Ramon de C Valle 2011-11-18 15:01:07 UTC
The code for merging multiple AAAA and A result sets is not present in the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 (i.e. src/dns_internal.cc#1096 of squid-3.1.10-1.el6).

Comment 14 errata-xmlrpc 2011-12-06 21:31:04 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1791 https://rhn.redhat.com/errata/RHSA-2011-1791.html


Note You need to log in before you can comment on or make changes to this bug.