Squid: Denial of service — GLSA 200703-27

Squid is affected by a Denial of Service vulnerability.

Affected packages

net-proxy/squid on all architectures
Affected versions < 2.6.12
Unaffected versions >= 2.6.12

Background

Squid is a multi-protocol proxy server.

Description

Squid incorrectly handles TRACE requests that contain a "Max-Forwards" header field with value "0" in the clientProcessRequest() function.

Impact

A remote attacker can send specially crafted TRACE HTTP requests that will terminate the child process. A quickly repeated attack will lead to a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All Squid users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.6.12"

References

Release date
March 31, 2007

Latest revision
March 31, 2007: 01

Severity
low

Exploitable
remote

Bugzilla entries