Comment 1 Alex Legler (RETIRED) 2009-08-19 09:41:05 UTC

CVE-2009-2855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2855):
  The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
  allows remote attackers to cause a denial of service via a crafted
  auth header with certain comma delimiters that trigger an infinite
  loop of calls to the strcspn function.

Comment 2 Stefan Behte (RETIRED) 2009-08-21 15:24:29 UTC

This seems related to an older Bug:
http://www.squid-cache.org/bugs/show_bug.cgi?id=2541
Upstream Patch: http://www.squid-cache.org/bugs/attachment.cgi?id=2041

Comment 3 Alin Năstac (RETIRED) 2009-08-22 13:00:24 UTC

Fixed in versions squid-2.7.6-r2, squid-3.0.18-r1 and squid-3.1.0.13_beta-r1.

Arch teams, please mark version squid-3.0.18-r1 *and* squid-2.7.6-r2 as stable.

Comment 4 Jeroen Roovers (RETIRED) 2009-08-22 16:57:02 UTC

Stable for HPPA.

Comment 5 nixnut (RETIRED) 2009-08-23 09:59:23 UTC

ppc stable

Comment 6 Christian Faulhammer (RETIRED) 2009-08-25 12:00:56 UTC

x86 stable

Comment 7 Raúl Porcel (RETIRED) 2009-08-25 13:36:05 UTC

alpha/arm/ia64/sparc stable

Comment 8 Steve Dibb (RETIRED) 2009-08-27 20:21:14 UTC

amd64 stable

Comment 9 Brent Baude (RETIRED) 2009-08-31 00:04:39 UTC

ppc64 done

Comment 10 Alex Legler (RETIRED) 2009-09-02 09:25:01 UTC

GLSA voting: YES

Comment 11 Stefan Behte (RETIRED) 2009-09-14 21:56:58 UTC

Yes, too. Request filed.

could be closed, not more in cvs tree

Comment 13 GLSAMaker/CVETool Bot 2011-10-26 20:47:56 UTC

This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).