oss-sec mailing list archives
Re: squid DoS in external auth header parser
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 18 Aug 2009 16:42:18 -0400 (EDT)
====================================================== Name: CVE-2009-2855 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855 Reference: MLIST:[oss-security] 20090720 squid DoS in external auth header parser Reference: URL:http://www.openwall.com/lists/oss-security/2009/07/20/10 Reference: MLIST:[oss-security] 20090803 Re: squid DoS in external auth header parser Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/03/3 Reference: MLIST:[oss-security] 20090804 Re: squid DoS in external auth header parser Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/6 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982 Reference: MISC:http://www.squid-cache.org/bugs/show_bug.cgi?id=2704 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982 The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
Current thread:
- squid DoS in external auth header parser Vincent Danen (Jul 20)
- Re: squid DoS in external auth header parser security curmudgeon (Aug 03)
- Re: squid DoS in external auth header parser Nico Golde (Aug 04)
- Re: squid DoS in external auth header parser Vincent Danen (Aug 04)
- Re: squid DoS in external auth header parser Nico Golde (Aug 04)
- Re: squid DoS in external auth header parser Vincent Danen (Aug 04)
- Re: squid DoS in external auth header parser Steven M. Christey (Aug 18)