MDVSA-2009:241

Package name

squid

Date

2009-09-22

Advisory ID

MDVSA-2009:241

Affected versions

CS3.0 i586 , CS4.0 x86_64 , MNF2.0 i586 , CS3.0 x86_64 , CS4.0 i586

Problem description

A vulnerability was discovered and corrected in squid:

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
allows remote attackers to cause a denial of service via a crafted
auth header with certain comma delimiters that trigger an infinite
loop of calls to the strcspn function (CVE-2009-2855).

This update provides a solution to this vulnerability.

Updated packages

CS3.0 i586

 d3d31bfcf8743f0ef4fe8ae0a4f1a31d  corporate/3.0/i586/squid-2.5.STABLE9-1.10.C30mdk.i586.rpm 
 d8147ef0c2081a50a90fd90706f508fd  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.10.C30mdk.src.rpm

CS4.0 x86_64

 076514fd7e11d52a063a4b6d16e443f5  corporate/4.0/x86_64/squid-2.6.STABLE1-4.6.20060mlcs4.x86_64.rpm
 6a0c4f4b7052f4fe71caad88a0f69725  corporate/4.0/x86_64/squid-cachemgr-2.6.STABLE1-4.6.20060mlcs4.x86_64.rpm 
 1480559d19643520e2518c6580795e32  corporate/4.0/SRPMS/squid-2.6.STABLE1-4.6.20060mlcs4.src.rpm

MNF2.0 i586

 408821c6a18366e616b4c3e487b52c7a  mnf/2.0/i586/squid-2.5.STABLE9-1.10.C30mdk.i586.rpm 
 ed57b93a8469cce94007865c7fd26679  mnf/2.0/SRPMS/squid-2.5.STABLE9-1.10.C30mdk.src.rpm

CS3.0 x86_64

 70bcb549848402cba200650f2a5f49bb  corporate/3.0/x86_64/squid-2.5.STABLE9-1.10.C30mdk.x86_64.rpm 
 d8147ef0c2081a50a90fd90706f508fd  corporate/3.0/SRPMS/squid-2.5.STABLE9-1.10.C30mdk.src.rpm

CS4.0 i586

 41968d86246a9ce9ca14d37e620a39b0  corporate/4.0/i586/squid-2.6.STABLE1-4.6.20060mlcs4.i586.rpm
 e4070d1737a40a975431df182d6c334f  corporate/4.0/i586/squid-cachemgr-2.6.STABLE1-4.6.20060mlcs4.i586.rpm 
 1480559d19643520e2518c6580795e32  corporate/4.0/SRPMS/squid-2.6.STABLE1-4.6.20060mlcs4.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855