[arch-security] [ASA-201505-1] squid: weak certificate validation
anthraxx at archlinux.org
Fri May 1 22:43:05 UTC 2015
Arch Linux Security Advisory ASA-201505-1
Date : 2015-05-01
CVE-ID : CVE-2015-3455
Package : squid
Type : weak certificate validation
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package squid before version 3.5.4-1 is vulnerable to weak
Upgrade to 3.5.4-1.
# pacman -Syu "squid>=3.5.4-1"
The problem has been fixed upstream in version 3.5.4.
Upgrade the squid.conf settings to use a "ssl_bump peek" operation
before the "bump" operation.
NOTE that this workaround does not resolve the vulnerability, but allow
Squid to relay (or mimic) the invalid certificate to clients and depends
on validation in the client.
Alternatively remove from squid.conf (and include'd files) any ssl_bump
The flaw allows remote servers to bypass client certificate validation.
Some attackers may also be able to use valid certificates for one domain
signed by a global Certificate Authority to abuse an unrelated domain.
However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" or "bump" mode of operation.
Sites that do not use SSL-Bump are not vulnerable.
A remote attacker is able to bypass client certificate validation, as a
result malicious server responses can wrongly be presented through the
proxy to clients as secure authenticated HTTPS responses.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security