Date: Tue, 14 Jul 2015 20:27:13 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: Squid HTTP proxy CVE request -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Any assignment / info on these? Amos On 6/07/2015 11:26 p.m., Amos Jeffries wrote: > Greetings, > > This months release of Squid HTTP proxy, version 3.5.6, contains > fixes for two security issues. > > > Issue #1: > > Due to incorrect handling of peer responses in a hierarchy of 2 or > more proxies remote clients (or scripts run on a client) are able > to gain unrestricted access through a gateway proxy to its backend > proxy. > > If the two proxies have differing levels of security this could > lead to authentication bypass or unprivileged access to supposedly > secure resources. > > <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856 .p > > atch> > > All Squid up to and including 3.5.5 are vulnerable. > > (when published the advisory for this will be > <http://www.squid-cache.org/Advisories/SQUID-2015_2.txt>) > > > Issue #2: > > This is somewhat more obscure, and I am seeking clarification > perhapse more than assignment. > > Squid up to and including 3.5.5 are apparently vulnerable to DoS > attack from malicious clients using repeated TLS renegotiation > messages. This has not been verified as it also seems to require > outdated (0.9.8l and older) OpenSSL libraries. > > <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849 .p > > atch> > > CVE-2009-3555 was mentioned by the submitter, but that was clearly > assigned for server-initiated renegotiation. This Squid change is > specifically for the client-initiated renegotiation part of the > TLS protocol flaw. > > There may be some relevant CVE already assigned, although I've > been unable to find it. Only CVE-2011-1473 which is for the library > itself and disputed. > > So, is server software being assigned specific CVE (or a shared > generic one) for resolving this flaw? Please indicate which CVE > Squid announcements should mention (if any). > > > Thanks, Amos Jeffries Squid Software Foundation > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJVpMfhAAoJEGvSOzfXE+nL6EgP/RqJ6z+9YjsTVgPwyF9bCXfj vVMqGvnr/pbj9fFB82Pp/Fg/8saFgDE1pV3bGI/9D4a1EPCUQ0Hlu6BgK4hY+/bG jO/PDzppbMnd2TTa1J4XUsVLuk9COQBJjFP7d7X/GX5pnam4aXMSf5A3uWZbtzQt 6p9rZ+O23lCr8qSgIr4ekJILelj2wv8E5v7eAGqpZBAV2/IhY/rK6HL6BEC2b88X +9oXw+cMzRdm3qhzcAAtwe2YU/qHYnlyyG+FsZ6C04ZUgx6uTh1O6uuqMn4NZ1LB 16WWAtr1GMviZXdB14xQzaUwgwtaozqf2zfujGk5G/nf4iGhPhoUCgDxhW2FRbyS a4gua1Bd1MbkcjjOyUrTEP135LSsW9Y6YfTSD/MDS7G/3nUWF/cU/6guXFrBCjvg RELk7J+7EtGEY+LmNiaT0Rj1yzMupxgKow8bk+jzSsCsnJGGRtQfrukvwm3PD8Tb jCrDdZyUxFPE29ZXnmFYZHybfL0JZUQ+p6N3Eo99gI5I+hZ4ujfWbizJ8Gamht4n RToUvf5OtP+8KcdFJrxkE3EM3/s9R9UPLoNs2sDxmzapTWBrbjdKguI02mrTRlUk vnTw1R2ySUJIRG/Z4/BKNCYLp8MnkCodU1SntofWqmPfmLLs4gDQbF00kStwVQKn r+tkf/ZfrIQ2b1FcOygQ =klt3 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ