CVE-2009-2855

Priority
Description
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows
remote attackers to cause a denial of service via a crafted auth header
with certain comma delimiters that trigger an infinite loop of calls to the
strcspn function.
Notes
 mdeslaur> reproducer in RH bug
 mdeslaur> reproducer doesn't work on 2.5 and 2.6, as code is different.
 mdeslaur> don't seem to be vulnerable.
 micahg> http://packages.debian.org/changelogs/pool/main/s/squid3/current/changelog#version3.0.STABLE19-1 shows this CVE fixed, so marking as not-affected for lucid
More Information

Updated: 2019-03-19 11:50:34 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)