The widely used proxy-server squid contains a heap overflow in one of its URL constructing functions. Incorrect length-calculations for the user and passwd fields in ftp-URLs turned out to be the origin of the problem. Only users from hosts listed in squids ACL-files could trigger the overflow. The ftp-URL problem is not present in the 6.4, 7.0 and 7.1 distributions, but other security releated bugs have been fixed there. A complete history can be found at
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
openSUSE | 7.0 | i386 | squid2 | < 2.2.STABLE5-218 | squid2-2.2.STABLE5-218.i386.rpm |
openSUSE | 7.3 | ppc | squid-beta | < 2.4.STABLE2-59 | squid-beta-2.4.STABLE2-59.ppc.rpm |
openSUSE | 7.1 | ppc | squid2 | < 2.2.STABLE5-200 | squid2-2.2.STABLE5-200.ppc.rpm |
openSUSE | 6.4 | i386 | squid2 | < 2.2.STABLE5-219 | squid2-2.2.STABLE5-219.i386.rpm |
openSUSE | 7.3 | i386 | squid-beta | < 2.4.STABLE2-94 | squid-beta-2.4.STABLE2-94.i386.rpm |
openSUSE | 7.1 | sparc | squid2 | < 2.2.STABLE5-208 | squid2-2.2.STABLE5-208.sparc.rpm |
openSUSE | 7.0 | alpha | squid23 | < 2.3.STABLE4-74 | squid23-2.3.STABLE4-74.alpha.rpm |
openSUSE | 6.4 | alpha | squid2 | < 2.2.STABLE5-227 | squid2-2.2.STABLE5-227.alpha.rpm |
openSUSE | 7.1 | sparc | squid23 | < 2.3.STABLE4-60 | squid23-2.3.STABLE4-60.sparc.rpm |
openSUSE | 7.1 | ppc | squid23 | < 2.3.STABLE4-68 | squid23-2.3.STABLE4-68.ppc.rpm |