search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Squid fails to properly handle oversized reply headers

Vulnerability Note VU#823350

Original Release Date: 2005-02-04 | Last Revised: 2005-02-07

Overview

The Squid web proxy cache may be vulnerable to oversized HTTP reply headers.

Description

Squid functions as a web proxy and cache application for a number of protocols, including the hypertext transfer protocol (HTTP). A defect in the Squid HTTP handling prevents oversized reply headers relating to an HTTP protocol mismatch from being handled properly.

Impact

The complete impact of this vulnerability is not yet known. This vulnerability is platform independent.

Solution

Apply an update

Administrators should obtain an updated version of Squid from their vendor.

Team Squid has created a patch for the current release version of Squid: squid-2.5.STABLE7-oversize_reply_headers.patch

This flaw has been patched in Squid 2.5.STABLE8-RC4. More details are available in the Squid Bugzilla bug #1216.

Vendor Information

823350
 
Expand all

Squid Affected

Updated:  February 04, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Team Squid has created a patch for the current release version of Squid: squid-2.5.STABLE7-oversize_reply_headers.patch

This flaw has been patched in Squid 2.5.STABLE8-RC4. More details are available in the Squid Bugzilla bug #1216.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Team Squid for reporting this vulnerability, who in turn credit Marc Elsen for finding the flaw.

This document was written by Ken MacInnis based primarily on information provided by Team Squid.

Other Information

CVE IDs: CVE-2005-0241
Severity Metric: 1.20
Date Public: 2005-01-31
Date First Published: 2005-02-04
Date Last Updated: 2005-02-07 21:18 UTC
Document Revision: 19

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis