Debian
squid package

  1. Bug #12600
  2. Comment #2

Comment 2 for bug 12600

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 6 Feb 2005 14:46:35 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: malformed HTTP header attacks (CAN-2005-0174)

--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: squid
Version: 2.5.7-4
Severity: grave
Tags: security

CAN-2005-0174 describes some security holes in squid:

  Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or
  conduct certain attacks via headers that do not follow the HTTP specifica=
tion,
  including (1) multiple Content-Length headers, (2) carriage return (CR)
  characters that are not part of a CRLF pair, and (3) header names contain=
ing
  whitespace characters.

Details and a patch here:

  http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header=
_parsing

--=20
see shy jo

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCBnQbd8HHehbQuO8RAnLYAKC6YEl5a0fLjppRmC+2SdB9owMhtACfaDi/
cFqzwjIF8TJ0nlZmhjwIsb0=
=0TYa
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--