squid 2.5 and CAN-2005-3258

Hi all,

I'm using Squid 2.5.STABLE10, and since I can't afford to migrate to a
newer Squid release on my platform, I'd like to get a status on whether
this version of Squid is impacted by the CAN-2005-3258 vulnerability or not.

A patch for squid 2.5.STABLE11 exists for this issue:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape

After a quick try, it seems this patch does not apply on squid
2.5.STABLE10, mainly because squid 2.5.STABLE10 needs at first another
patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-ftp_basehref

As far as I can see, the rfc1738_do_escape patch fixes some stuffs in
the ftp_basehref patch itself, rather than flaws in squid 2.5.STABLE10.
As a consequence, I wonder if the latter patch has introduced the
vulnerability or if it was existing anyway.

Can someone tell me if the code from squid 2.5.STABLE10 is affected by
this vulnerability?

Another possiblity to know the answer would be to try to reproduce the
issue with squid 2.5.STABLE10. The bug-tracker highlights that some FTP
URL are likely to force the crash. Any hints?

Thanks in advance for your time

--
Aurelien
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.