CVE-2004-2654 Affecting squid package, versions <2.5.6


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
5.6% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN13-SQUID-5695901
  • published31 Dec 2004
  • disclosed31 Dec 2004

Introduced: 31 Dec 2004

CVE-2004-2654  (opens in a new tab)

How to fix?

Upgrade Debian:13 squid to version 2.5.6 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream squid package and not the squid package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference. NOTE: in a followup advisory, a researcher claimed that the issue was a buffer overflow that was not fixed in STABLE6. However, the vendor's bug report clearly shows that the researcher later retracted this claim, because the tested product was actually STABLE5.

CVSS Scores

version 3.1