CVE-2009-2622

NameCVE-2009-2622
DescriptionSquid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1843-1, DSA-1843-2
NVD severitymedium
Debian Bugs538989

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster, buster (security)4.6-1+deb10u6fixed
bullseye4.13-10fixed
bookworm, sid5.2-1fixed
squid3 (PTS)stretch3.5.23-5+deb9u1fixed
stretch (security)3.5.23-5+deb9u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsourceetch(not affected)DSA-1843-1
squidsource(unstable)(not affected)
squid3sourcelenny3.0.STABLE8-3+lenny1DSA-1843-1
squid3source(unstable)3.0.STABLE18-1medium538989

Notes

- squid <not-affected> (see NOTE)
squid 2.x not affected, according to
http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Search for package or bug name: Reporting problems