Mathias Fischer

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 3.5.14 Squid versions 4.0.x prior to 4.0.6 **Description** The issue arises from insufficient input validation in the FwdState::connectedToPeer method of the Squid proxy server. This can be exploited by a remote attacker to cause a denial of service, resulting in the application crashing, by sending an unencrypted HTTP message. **Recommendations** For Squid versions prior to 3.5.14, update to version 3.5.14 or later to resolve the issue. For Squid versions 4.0.x prior to 4.0.6, update to version 4.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Squid versions 3.x through 3.5.14 Squid versions 4.x through 4.0.6 **Description** The issue allows remote servers to cause a denial of service via a long string, as demonstrated by a crafted HTTP Vary header. This occurs because Squid does not properly append data to String objects, leading to an assertion failure and daemon exit. **Recommendations** For Squid versions 3.x through 3.5.14, update to version 3.5.15 or later. For Squid versions 4.x through 4.0.6, update to version 4.0.7 or later.