CVE-2011-3205

NameCVE-2011-3205
DescriptionBuffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2304-1
NVD severitymedium (attack range: remote)
Debian Bugs639755

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)wheezy2.7.STABLE9-4.1+deb7u1fixed
wheezy (security)2.7.STABLE9-4.1+deb7u2fixed
squid3 (PTS)wheezy3.1.20-2.2+deb7u4fixed
wheezy (security)3.1.20-2.2+deb7u7fixed
jessie (security), jessie3.4.8-6+deb8u4fixed
buster, sid, stretch3.5.23-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)(not affected)
squid3source(unstable)3.1.15-1low639755
squid3sourcelenny3.0.STABLE8-3+lenny5mediumDSA-2304-1
squid3sourcesqueeze3.1.6-1.2+squeeze1mediumDSA-2304-1

Notes

- squid <not-affected> (Only a buffer overflow in Squid 3, see https://bugzilla.redhat.com/show_bug.cgi?id=734583#c4)
http://www.squid-cache.org/Advisories/SQUID-2011_3.txt

Search for package or bug name: Reporting problems