CVE-2009-2855
squid squid3 - denial of service
EPSS 60.7%
Description
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
How to fix CVE-2009-2855
To remediate CVE-2009-2855, upgrade the affected package to a fixed version below.
- Debian/squid—upgrade to 2.7.STABLE7-1 or later
- Debian/squid—upgrade to 2.6.5-6etch5 or later
- Debian/squid3—upgrade to 3.0.PRE5-5+etch2 or later
Is CVE-2009-2855 being exploited?
Likely — EPSS is 60.7%, placing CVE-2009-2855 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (3)
- from 0, < 2.7.STABLE7-1
- from 0, < 2.6.5-6etch5
- from 0, < 3.0.PRE5-5+etch2