Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 20:27:13 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: Squid HTTP proxy CVE request

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Any assignment / info on these?

Amos

On 6/07/2015 11:26 p.m., Amos Jeffries wrote:
> Greetings,
> 
> This months release of Squid HTTP proxy, version 3.5.6, contains
> fixes for two security issues.
> 
> 
> Issue #1:
> 
> Due to incorrect handling of peer responses in a hierarchy of 2 or 
> more proxies remote clients (or scripts run on a client) are able
> to gain unrestricted access through a gateway proxy to its backend
> proxy.
> 
> If the two proxies have differing levels of security this could
> lead to authentication bypass or unprivileged access to supposedly
> secure resources.
> 
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856
.p
>
> 
atch>
> 
> All Squid up to and including 3.5.5 are vulnerable.
> 
> (when published the advisory for this will be 
> <http://www.squid-cache.org/Advisories/SQUID-2015_2.txt>)
> 
> 
> Issue #2:
> 
> This is somewhat more obscure, and I am seeking clarification
> perhapse more than assignment.
> 
> Squid up to and including 3.5.5 are apparently vulnerable to DoS 
> attack from malicious clients using repeated TLS renegotiation 
> messages. This has not been verified as it also seems to require 
> outdated (0.9.8l and older) OpenSSL libraries.
> 
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849
.p
>
> 
atch>
> 
> CVE-2009-3555 was mentioned by the submitter, but that was clearly 
> assigned for server-initiated renegotiation. This Squid change is 
> specifically for the client-initiated renegotiation part of the
> TLS protocol flaw.
> 
> There may be some relevant CVE already assigned, although I've
> been unable to find it. Only CVE-2011-1473 which is for the library
> itself and disputed.
> 
> So, is server software being assigned specific CVE (or a shared 
> generic one) for resolving this flaw? Please indicate which CVE
> Squid announcements should mention (if any).
> 
> 
> Thanks, Amos Jeffries Squid Software Foundation
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJVpMfhAAoJEGvSOzfXE+nL6EgP/RqJ6z+9YjsTVgPwyF9bCXfj
vVMqGvnr/pbj9fFB82Pp/Fg/8saFgDE1pV3bGI/9D4a1EPCUQ0Hlu6BgK4hY+/bG
jO/PDzppbMnd2TTa1J4XUsVLuk9COQBJjFP7d7X/GX5pnam4aXMSf5A3uWZbtzQt
6p9rZ+O23lCr8qSgIr4ekJILelj2wv8E5v7eAGqpZBAV2/IhY/rK6HL6BEC2b88X
+9oXw+cMzRdm3qhzcAAtwe2YU/qHYnlyyG+FsZ6C04ZUgx6uTh1O6uuqMn4NZ1LB
16WWAtr1GMviZXdB14xQzaUwgwtaozqf2zfujGk5G/nf4iGhPhoUCgDxhW2FRbyS
a4gua1Bd1MbkcjjOyUrTEP135LSsW9Y6YfTSD/MDS7G/3nUWF/cU/6guXFrBCjvg
RELk7J+7EtGEY+LmNiaT0Rj1yzMupxgKow8bk+jzSsCsnJGGRtQfrukvwm3PD8Tb
jCrDdZyUxFPE29ZXnmFYZHybfL0JZUQ+p6N3Eo99gI5I+hZ4ujfWbizJ8Gamht4n
RToUvf5OtP+8KcdFJrxkE3EM3/s9R9UPLoNs2sDxmzapTWBrbjdKguI02mrTRlUk
vnTw1R2ySUJIRG/Z4/BKNCYLp8MnkCodU1SntofWqmPfmLLs4gDQbF00kStwVQKn
r+tkf/ZfrIQ2b1FcOygQ
=klt3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ