CVE-2009-2855 in Ubuntu

CVE-2009-2855

Priority

Description

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows
remote attackers to cause a denial of service via a crafted auth header
with certain comma delimiters that trigger an infinite loop of calls to the
strcspn function.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855
https://ubuntu.com/security/notices/USN-901-1

Bugs

http://bugs.squid-cache.org/show_bug.cgi?id=2541
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
https://bugzilla.redhat.com/show_bug.cgi?id=518182

Notes

mdeslaur	reproducer in RH bug reproducer doesn't work on 2.5 and 2.6, as code is different. don't seem to be vulnerable.
micahg	http://packages.debian.org/changelogs/pool/main/s/squid3/current/changelog#version3.0.STABLE19-1 shows this CVE fixed, so marking as not-affected for lucid

Package

Source: squid (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	DNE

Patches:

Upstream:

http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/src/HttpHeaderTools.c.diff?r1=1.37.2.3&r2=1.37.2.4

Package

Source: squid3 (LP Ubuntu Debian)

Upstream:	released (3.1.6-1.1)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (3.1.6-1.1ubuntu1)

Patches:

Upstream:	http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch
Upstream:	http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch

More Information

Updated: 2022-02-10 23:38:17 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)