Squid "strHdrAcptLangGetItem()" Denial of Service

by Carol~ Moderator - 3/12/13 4:53 AM

In Reply to: VULNERABILITIES / FIXES - March 12, 2013 by Carol~ Moderator

Squid "strHdrAcptLangGetItem()" Denial of Service Vulnerability

Release Date : 2013-03-12

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Workaround

Software: Squid 3.x

Description"
A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "strHdrAcptLangGetItem()" function (errorpage.cc) when handling the "Accept-Language" header. This can be exploited to trigger an infinite loop and consume CPU resources.

The vulnerability is reported in versions 3.3.2 and prior and versions 3.2.8 and prior.

Solution:
Apply patch.

Provided and/or discovered by:
22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b, and AKAT-1

Original Advisory:
http://archives.neohapsis.com/archives/bugtraq/2013-03/0025.html
http://archives.neohapsis.com/archives/bugtraq/2013-03/0069.html

http://secunia.com/advisories/52588/