A denial of service flaw was found in the way squid handles certain client initiated requests. A client who can connect to the squid server could leverage this flaw to cause the squid child process to terminate. This would prevent anyone from using the squid server until the process automatically restarts.
The issue here is that a client request could be constructed in such a way that it triggers a call to assert() in the squid child process. This then causes the child process to quit, stopping all current requests until the child process is restarted. As this end up calling assert(), there is no potential for code execution from this particular flaw. The code that triggers this flaw is only present in squid versions 2.7 and above.
https://admin.fedoraproject.org/updates/squid-3.0.STABLE13-1.fc10 https://admin.fedoraproject.org/updates/squid-3.0.STABLE13-1.fc9
Official Statement from Red Hat (02/09/2009) Not vulnerable. This issue did not affect the version of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-1526 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-1517