oss-sec mailing list archives

CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 31 Oct 2011 18:21:35 +0100

Hello Steve, vendors,

  an invalid free flaw was found in the way Squid proxy caching server
processed DNS requests, where one CNAME record pointed to another CNAME
record pointing to an empty A-record. A remote attacker could issue a

specially-crafted DNS request, leading to denial of service (squiddaemon abort).


Upstream bug report:
[1] http://bugs.squid-cache.org/show_bug.cgi?id=3237

Relevant upstream patch:
[2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10384

References:
[3] http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html
[4] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c4
[5] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c5
[6] https://bugzilla.redhat.com/show_bug.cgi?id=750316

Could you allocate a CVE id for this? (cc-ed Henrik and Jiri
for their opinion / comments too, if this should be considered
a security issue or not)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record Jan Lieskovsky (Oct 31)
- Re: CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record Kurt Seifried (Oct 31)
  - Re: CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record Henrik Nordström (Nov 01)
    - Re: CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record Steven M. Christey (Nov 14)