Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Web Server/CGI)  >   Squid Vendors:
Squid HTTP Request Processing Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1021684
SecurityTracker URL:
CVE Reference:   CVE-2009-0478   (Links to External Site)
Updated:  Feb 11 2009
Original Entry Date:  Feb 4 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.7, 3.0, 3.1
Description:   A vulnerability was reported in Squid. A remote user can cause denial of service conditions.

A remote user can send specially crafted requests to cause unspecified denial of service conditions.

Joshua Morin, Mikko Varpiola, and Jukka Taimisto from the CROSS project at Codenomicon Ltd. reported this vulnerability.

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor has issued a fix (2.7.STABLE6, 3.0.STABLE13,

The following patches are also available.

Squid 2.7:

Squid 3.0:

Squid 3.1:

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Date:  Thu, 05 Feb 2009 00:53:04 +1300
Subject:  Squid Proxy Cache Denial of Service in request handling


       Squid Proxy Cache Security Update Advisory SQUID-2009:1

Advisory ID:            SQUID-2009:1
Date:                   February 02, 2009
Summary:                Denial of service in request processing
Affected versions:      Squid 2.7 -> 2.7.STABLE5,
                         Squid 3.0 -> 3.0.STABLE12,
                         Squid 3.1 ->
Fixed in version:       Squid 2.7.STABLE6, 3.0.STABLE13,

Problem Description:

  Due to an internal error Squid is vulnerable to a denial
  of service attack when processing specially crafted requests.



  This problem allows any client to perform a denial of service
  attack on the Squid service.


Updated Packages:

  This bug is fixed by Squid versions 2.7.STABLE6, 3.0.STABLE13,

  In addition, patches addressing this problem can be found In
  our patch archives:

Squid 2.7:

Squid 3.0:

Squid 3.1:

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated


Determining if your version is vulnerable:

  All Squid-2.7 versions up to, and including 2.7.STABLE5 are

  All Squid-3.0 versions up to and including 3.0.STABLE12 are

  All Squid-3.1 beta versions up to and including are




Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the mailing list is your primary
  support point. For subscription details see

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used

  For reporting of security sensitive bugs send an email to the mailing list. It's a closed list
  (though anyone can post) and security related bug reports are
  treated in confidence until the impact has been established.



  The vulnerability was discovered by Joshua Morin, Mikko Varpiola
  and Jukka Taimisto from the CROSS project at Codenomicon Ltd.


Revision history:

  2009-02-02 13:12 GMT Initial version


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC