This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 750316 - (CVE-2011-4096) CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20110606,repor...
: Security
Depends On: 750321 755016 755017 844301
Blocks: 750322
  Show dependency treegraph
 
Reported: 2011-10-31 13:17 EDT by Jan Lieskovsky
Modified: 2013-01-07 05:42 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 17:02:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-10-31 13:17:57 EDT
An invalid free flaw was found in the way Squid proxy caching server processed DNS requests, where one CNAME record pointed to another CNAME record pointing to an empty A-record. A remote attacker could issue a specially-crafted DNS request, leading to denial of service (squid daemon abort).

Upstream bug report:
[1] http://bugs.squid-cache.org/show_bug.cgi?id=3237

Relevant upstream patch:
[2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10384

References:
[3] http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html
[4] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c4
[5] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c5
Comment 1 Jan Lieskovsky 2011-10-31 13:36:24 EDT
This issue affects the versions of the squid package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-10-31 13:37:18 EDT
Created squid tracking bugs for this issue

Affects: fedora-all [bug 750321]
Comment 3 Jan Lieskovsky 2011-10-31 14:06:28 EDT
CVE request:
[6] http://www.openwall.com/lists/oss-security/2011/10/31/5
Comment 4 Henrik Nordström 2011-10-31 16:35:41 EDT
CVE-2011-4096 has been assigned to this issue.
Comment 5 Jan Lieskovsky 2011-11-01 07:34:23 EDT
This issue is scheduled to be corrected in the following squid package updates:
1) squid-3.1.16-1.fc14 for Fedora 14, and
2) squid-3.1.16-1.fc15 for Fedora 15.

Particular updates have been pushed to relevant -testing repositories and upon required testing is complete, they will be pushed to related -stable repositories.
Comment 7 Fedora Update System 2011-11-17 18:32:03 EST
squid-3.1.16-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2011-11-17 18:38:49 EST
squid-3.1.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Ramon de C Valle 2011-11-18 09:38:03 EST
Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include IPv6 support. This issue was introduced with the addition of IPv6 support in Squid 3.1 (in the changes made to the idnsGrokReply function).
Comment 10 Ramon de C Valle 2011-11-18 10:01:07 EST
The code for merging multiple AAAA and A result sets is not present in the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 (i.e. src/dns_internal.cc#1096 of squid-3.1.10-1.el6).
Comment 14 errata-xmlrpc 2011-12-06 16:31:04 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1791 https://rhn.redhat.com/errata/RHSA-2011-1791.html

Note You need to log in before you can comment on or make changes to this bug.