|Description||An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)|
|References||DLA-2028-1, DLA-2278-1, DSA-4682-1|
Vulnerable and fixed packages
The table below lists information on source packages.
|squid (PTS)||buster, buster (security)||4.6-1+deb10u7||fixed|
|bullseye (security), bullseye||4.13-10+deb11u1||fixed|
The information below is based on the following data on fixed versions.
Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch