Info

Disclosure

Nov 23, 2004

Discovery

Unknown

Dates

Exploit

Nov 23, 2004

Solution

Unknown

Description

Squid contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a sequence of failed DNS lookups causes contents of recently freed memory to be displayed as error messages, which will disclose random information resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Team Squid has released a source code patch to address this vulnerability.

Products

Team Squid	Squid	2.5.STABLE1
		2.5.STABLE2
		2.5.STABLE3
		2.5.STABLE4
		2.5.STABLE5
		2.5.STABLE6
		2.5.STABLE7

References

Security Tracker: 1012466
SCIP VulDB ID: 1025
Bugtraq ID: 11865
Secunia Advisory ID: 13408 16828 16977
ISS X-Force ID: 18406
CVE ID: 2004-2479 (see also: NVD)
Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20050903-02-U.asc http://fedoranews.org/updates/FEDORA--.shtml
http://www.squid-cache.org/bugs/show_bug.cgi?id=1143
Vendor URL: http://www.squid-cache.org/
RedHat RHSA: RHSA-2005:766

Credit

Artur Szostak - arturalice.phy.uct.ac.za -

Direct URL: http://osvdb.org/12282