Arch Linux Security Advisory ASA-201505-1 ========================================= Severity: High Date : 2015-05-01 CVE-ID : CVE-2015-3455 Package : squid Type : weak certificate validation Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package squid before version 3.5.4-1 is vulnerable to weak certificate validation. Resolution ========== Upgrade to 3.5.4-1. # pacman -Syu "squid>=3.5.4-1" The problem has been fixed upstream in version 3.5.4. Workaround ========== Upgrade the squid.conf settings to use a "ssl_bump peek" operation before the "bump" operation. NOTE that this workaround does not resolve the vulnerability, but allow Squid to relay (or mimic) the invalid certificate to clients and depends on validation in the client. Alternatively remove from squid.conf (and include'd files) any ssl_bump directives. Description =========== The flaw allows remote servers to bypass client certificate validation. Some attackers may also be able to use valid certificates for one domain signed by a global Certificate Authority to abuse an unrelated domain. However, the bug is exploitable only if you have configured Squid to perform SSL Bumping with the "client-first" or "bump" mode of operation. Sites that do not use SSL-Bump are not vulnerable. Impact ====== A remote attacker is able to bypass client certificate validation, as a result malicious server responses can wrongly be presented through the proxy to clients as secure authenticated HTTPS responses. References ========== http://www.squid-cache.org/Advisories/SQUID-2015_1.txt http://www.openwall.com/lists/oss-security/2015/04/30/2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455