Vulnerability Note VU#823350

Squid fails to properly handle oversized reply headers

Original Release date: 04 Feb 2005 | Last revised: 07 Feb 2005

Overview

The Squid web proxy cache may be vulnerable to oversized HTTP reply headers.

Description

Squid functions as a web proxy and cache application for a number of protocols, including the hypertext transfer protocol (HTTP). A defect in the Squid HTTP handling prevents oversized reply headers relating to an HTTP protocol mismatch from being handled properly.

Impact

The complete impact of this vulnerability is not yet known. This vulnerability is platform independent.

Solution

Apply an update

Administrators should obtain an updated version of Squid from their vendor.

Team Squid has created a patch for the current release version of Squid: squid-2.5.STABLE7-oversize_reply_headers.patch

This flaw has been patched in Squid 2.5.STABLE8-RC4. More details are available in the Squid Bugzilla bug #1216.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SquidAffected-04 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Team Squid for reporting this vulnerability, who in turn credit Marc Elsen for finding the flaw.

This document was written by Ken MacInnis based primarily on information provided by Team Squid.

Other Information

  • CVE IDs: Unknown
  • Date Public: 31 Jan 2005
  • Date First Published: 04 Feb 2005
  • Date Last Updated: 07 Feb 2005
  • Severity Metric: 1.20
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.