Posted by Andrés Roldán via Fulldisclosure on Feb 26
A Double-Free bug was found in Squid versions 4.14 and 5.0.5 when
processing the “acl” directive on configuration files, more
specifically the first and second addresses.
This may allow arbitrary code execution on a Squid deployment on where the
configuration files may be processed from untrusted sources.
The following sample configuration file causes the overflow:
# cat heap.conf
acl localnet src…
– Read More – Full Disclosure