Bug 509895 - squid DoS in external auth header parser
Summary: squid DoS in external auth header parser
Keywords:
Status: CLOSED DUPLICATE of bug 518182
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-06 17:49 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-24 14:26:00 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2009-07-06 17:49:04 UTC
A DoS condition in squid was reported [1] in the Debian bug tracker where certain headers using defined delimiters (such as ','), and used by either external authentication or access log formats that include parts of the headers with delimiters, could cause squid to crash.  Configuration details and gdb output is included in the Debian bug.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982

Comment 1 Vincent Danen 2009-07-13 17:32:12 UTC
This is now noted upstream:

http://www.squid-cache.org/bugs/show_bug.cgi?id=2704

No additional information or response from upstream as of yet.

Comment 3 Vincent Danen 2009-08-24 14:26:00 UTC
This is CVE-2009-2855.

*** This bug has been marked as a duplicate of bug 518182 ***


Note You need to log in before you can comment on or make changes to this bug.