CVE-2015-3455
Published: 18 May 2015
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
Notes
Author | Note |
---|---|
mdeslaur | only an issue if squid3 is built with --enable-ssl, which isn't the case on debian/ubuntu for licensing reasons. However, we should probably fix this anyway as rebuilding the Ubuntu package locally to enable ssl is a common scenario. 3.1.x not affected |
Priority
Status
Package | Release | Status |
---|---|---|
squid3 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
(3.1.19-1ubuntu3.12.04.4)
|
trusty |
Released
(3.3.8-1ubuntu6.6)
|
|
upstream |
Released
(3.5.4,3.4.13,3.3.14,3.2.14)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Released
(3.3.8-1ubuntu16.2)
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12690.patch |