Squid "strHdrAcptLangGetItem()" Denial of Service

by Carol~ Moderator - 3/12/13 4:53 AM

In Reply to: VULNERABILITIES / FIXES - March 12, 2013 by Carol~ Moderator

Squid "strHdrAcptLangGetItem()" Denial of Service Vulnerability

Release Date : 2013-03-12

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Workaround

Software: Squid 3.x

A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "strHdrAcptLangGetItem()" function (errorpage.cc) when handling the "Accept-Language" header. This can be exploited to trigger an infinite loop and consume CPU resources.

The vulnerability is reported in versions 3.3.2 and prior and versions 3.2.8 and prior.

Apply patch.

Provided and/or discovered by:
22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b, and AKAT-1

Original Advisory: