CVE-2009-3305 — polipo - denial of service

Description

Polipo 1.0.4, and possibly other versions, allows remote attackers to cause a denial of service (crash) via a request with a Cache-Control header that lacks a value for the max-age field, which triggers a segmentation fault in the httpParseHeaders function in http_parse.c, and possibly other unspecified vectors.

How to fix CVE-2009-3305

To remediate CVE-2009-3305, upgrade the affected package to a fixed version below.

Debian/polipo—upgrade to 1.0.4-1.1 or later
Debian/polipo—upgrade to 1.0.4-1+lenny1 or later

Is CVE-2009-3305 being exploited?

Moderate — EPSS is 11.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.0.4-1.1
from 0, < 1.0.4-1+lenny1

References (6)

ADVISORYsecunia.com/advisories/37607
ADVISORYsecunia.com/advisories/38647
ADVISORYwww.debian.org/security/2010/dsa-2002
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=547047
WEB