Info

Disclosure

Nov 23, 2004

Discovery

Unknown

Dates

Exploit

Nov 23, 2004

Solution

Unknown

Description

Squid contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a sequence of failed DNS lookups causes contents of recently freed memory to be displayed as error messages, which will disclose random information resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Team Squid has released a source code patch to address this vulnerability.

Products

Team Squid	Squid	2.5.STABLE1
		2.5.STABLE2
		2.5.STABLE3
		2.5.STABLE4
		2.5.STABLE5
		2.5.STABLE6
		2.5.STABLE7

References

Security Tracker: 1012466
Bugtraq ID: 11865
Secunia Advisory ID: 13408 16828 16977
ISS X-Force ID: 18406
CVE ID: 2004-2479 (see also: NVD)
Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20050903-02-U.asc http://www.squid-cache.org/bugs/show_bug.cgi?id=1143
Vendor URL: http://www.squid-cache.org/
RedHat RHSA: RHSA-2005:766

Credit

Artur Szostak - arturalice.phy.uct.ac.za -

Direct URL: http://osvdb.org/36218