CVE-2009-0801

Priority
Description
Squid, when transparent interception mode is enabled, uses the HTTP Host
header to determine the remote endpoint, which allows remote attackers to
bypass access controls for Flash, Java, Silverlight, and probably other
technologies, and possibly communicate with restricted intranet sites, via
a crafted web page that causes a client to send HTTP requests with a
modified Host header.
Notes
sbeattieaccording to squid bug report, fixed in squid 3.2, which
hasn't us yet; bug report notes to *not* backport fix
mdeslaurupstream doesn't consider the issue important enough to create
a fix for <3.2. We aren't going to fix either.
Package
Source: squid (LP Ubuntu Debian)
Upstream:needs-triage
Package
Upstream:needs-triage
More Information

Updated: 2020-01-29 19:34:50 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)