Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.51.0908181642050.17763@faron.mitre.org>
Date: Tue, 18 Aug 2009 16:42:18 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: squid DoS in external auth header parser


======================================================
Name: CVE-2009-2855
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855
Reference: MLIST:[oss-security] 20090720 squid DoS in external auth header parser
Reference: URL:http://www.openwall.com/lists/oss-security/2009/07/20/10
Reference: MLIST:[oss-security] 20090803 Re: squid DoS in external auth header parser
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/03/3
Reference: MLIST:[oss-security] 20090804 Re: squid DoS in external auth header parser
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/6
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982
Reference: MISC:http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
allows remote attackers to cause a denial of service via a crafted
auth header with certain comma delimiters that trigger an infinite
loop of calls to the strcspn function.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.