A CRLF injection flaw was found in Squid that could allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a specially crafted header in a response.
Note that the initial report of this issue was submitted to upstream in 2009. Only Squid 1.x, 2.x, and 3.0 releases are vulnerable.
This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Enterprise Linux 6 ships version 3.1.10 and Red Hat Enterprise Linux 7 ships version 3.3.8 of squide, both of which include the fix for this issue.
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
The root cause of this issue is that Squid read more than Content-Length bytes from a request and sent back everything that was received, even beyond what was specified in the Content-Length header. For example, a redirect request with a Content-Length header set to "0" could include an HTML body that would not be parsed, and would be directly sent in the response. This could be used by an attacker to split the response and include arbitrary HTML in the second response, poison the cache with this response, and potentially conduct other attacks such as CSRF or XSS.
The flaw was fixed by truncating response bodies to what is specified in the Content-Length header. This assures that requests that specify a correct content length cannot be used to carry other arbitrary content that may not be parsed. The code introduced a truncateVirginBody() function that handles this.
On RHEL 5, which includes Squide version 2.6, this function is missing and responses are not truncated. Thus, RHEL 5 is affected by this flaw. There is currently no known workaround for this issues besides patching Squid with the patch linked to in comment #0.
RHEL 6.0 shipped with Squid version 3.1.4, in which this flaw was already fixed and the code contains the truncateVirginBody() function that prevents the exploitation of this issue. Similarly, RHEL 7.0 was shipped with 3.3.8 in which this flaw has already been fixed as well.