Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters.
Software | From | Fixed in |
---|---|---|
squid / squid | 2.5_.stable1 | 2.5_.stable1.x |
squid / squid | 2.5_.stable3 | 2.5_.stable3.x |
squid / squid | 2.5_.stable4 | 2.5_.stable4.x |
squid / squid | 2.5_.stable5 | 2.5_.stable5.x |
squid / squid | 2.5_.stable6 | 2.5_.stable6.x |
squid / squid | 2.5_stable3 | 2.5_stable3.x |
squid / squid | 2.5_stable4 | 2.5_stable4.x |
squid / squid | 2.5_stable9 | 2.5_stable9.x |
squid / squid | 2.5.6 | 2.5.6.x |
squid / squid | 2.5.stable1 | 2.5.stable1.x |
squid / squid | 2.5.stable2 | 2.5.stable2.x |
squid / squid | 2.5.stable3 | 2.5.stable3.x |
squid / squid | 2.5.stable4 | 2.5.stable4.x |
squid / squid | 2.5.stable5 | 2.5.stable5.x |
squid / squid | 2.5.stable6 | 2.5.stable6.x |
squid / squid | 2.5.stable7 | 2.5.stable7.x |