Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 279380 (CVE-2009-2855)

Summary: <net-proxy/squid-2.7.6-r2/3.0.18-r1 DoS in external auth header parser (CVE-2009-2855)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: martin.holzer, net-proxy+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 19:37:22 UTC
Bastian Blank reported an infinite loop when processing auth headers.

No upstream patch yet.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-19 09:41:05 UTC
CVE-2009-2855 (
  The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
  allows remote attackers to cause a denial of service via a crafted
  auth header with certain comma delimiters that trigger an infinite
  loop of calls to the strcspn function.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-21 15:24:29 UTC
This seems related to an older Bug:
Upstream Patch:
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2009-08-22 13:00:24 UTC
Fixed in versions squid-2.7.6-r2, squid-3.0.18-r1 and squid-

Arch teams, please mark version squid-3.0.18-r1 *and* squid-2.7.6-r2 as stable.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-22 16:57:02 UTC
Stable for HPPA.
Comment 5 nixnut (RETIRED) gentoo-dev 2009-08-23 09:59:23 UTC
ppc stable
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-25 12:00:56 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-08-25 13:36:05 UTC
alpha/arm/ia64/sparc stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2009-08-27 20:21:14 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-08-31 00:04:39 UTC
ppc64 done
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-02 09:25:01 UTC
GLSA voting: YES
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 21:56:58 UTC
Yes, too. Request filed.
Comment 12 martin holzer 2011-01-17 15:42:30 UTC
could be closed, not more in cvs tree
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:47:56 UTC
This issue was resolved and addressed in
 GLSA 201110-24 at
by GLSA coordinator Tim Sammut (underling).