Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 18 Aug 2009 16:42:18 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: squid DoS in external auth header parser


======================================================
Name: CVE-2009-2855
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855
Reference: MLIST:[oss-security] 20090720 squid DoS in external auth header parser
Reference: URL:http://www.openwall.com/lists/oss-security/2009/07/20/10
Reference: MLIST:[oss-security] 20090803 Re: squid DoS in external auth header parser
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/03/3
Reference: MLIST:[oss-security] 20090804 Re: squid DoS in external auth header parser
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/6
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982
Reference: MISC:http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
allows remote attackers to cause a denial of service via a crafted
auth header with certain comma delimiters that trigger an infinite
loop of calls to the strcspn function.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ