CAN-2005-0174 describes some security holes in squid:
Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or
conduct certain attacks via headers that do not follow the HTTP specifica=
tion,
including (1) multiple Content-Length headers, (2) carriage return (CR)
characters that are not part of a CRLF pair, and (3) header names contain=
ing
whitespace characters.
Message-ID: <email address hidden>
Date: Sun, 6 Feb 2005 14:46:35 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: malformed HTTP header attacks (CAN-2005-0174)
--gBBFr7Ir9EOA20Yy Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: squid
Version: 2.5.7-4
Severity: grave
Tags: security
CAN-2005-0174 describes some security holes in squid:
Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or
conduct certain attacks via headers that do not follow the HTTP specifica=
tion,
including (1) multiple Content-Length headers, (2) carriage return (CR)
characters that are not part of a CRLF pair, and (3) header names contain=
ing
whitespace characters.
Details and a patch here:
http:// www.squid- cache.org/ Versions/ v2/2.5/ bugs/#squid- 2.5.STABLE7- header=
_parsing
--=20
see shy jo
--gBBFr7Ir9EOA20Yy pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
HehbQuO8RAnLYAK C6YEl5a0fLjppRm C+2SdB9owMhtACf aDi/ mhjwIsb0=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCBnQbd8H
cFqzwjIF8TJ0nlZ
=0TYa
-----END PGP SIGNATURE-----
--gBBFr7Ir9EOA2 0Yy--