CVE-2009-2622

NameCVE-2009-2622
DescriptionSquid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1843-1, DSA-1843-2
NVD severitymedium (attack range: remote)
Debian Bugs538989

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster, sid4.4-1fixed
squid3 (PTS)jessie3.4.8-6+deb8u5fixed
jessie (security)3.4.8-6+deb8u6fixed
stretch (security), stretch3.5.23-5+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)(not affected)
squidsourceetch(not affected)DSA-1843-1
squid3source(unstable)3.0.STABLE18-1medium538989
squid3sourcelenny3.0.STABLE8-3+lenny1mediumDSA-1843-1

Notes

- squid <not-affected> (see NOTE)
squid 2.x not affected, according to
http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Search for package or bug name: Reporting problems