This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
The squid patches page notes :
This patch makes Squid considerably stricter while parsing the HTTP
- A Content-length header should only appear once in a valid request
or response. Multiple Content-length headers, in conjunction with
specially crafted requests, may allow Squid's cache to be poisoned
with bad content in certain situations.
- CR characters is only allowed as part of the CR NL line terminator,
not alone. This to ensure that all involved agrees on the structure of
- Rejects requests/responses that have whitespace in an HTTP header
To enable these strict parsing rules, update to at least squid-2.5.7_9
and specify relaxed_header_parser off in squid.conf.
See also :
Update the affected package.
Risk factor :
Medium / CVSS Base Score : 5.0