Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Jul 2015 13:20:19 -0400 (EDT)
Subject: Re: Squid HTTP proxy CVE request

Hash: SHA1

>  - the "must" in "must be denied". "should" would be closer. It has been
> a public issue for a long time and to our knowledge no actual DoS has
> occured.

>  - other products had issues with client certificate authentication.
> None so far for us. If that is complained about we will likely re-enable
> it for that specific use case.

> When the OpenSSL library provides that flag definition, we set it

The case is somewhat unusual, but we feel that this seems "too
optional" to have a CVE ID. doesn't tell the
user that the OpenSSL library (when an old version is used) must be
configured in a certain way to address a Squid vulnerability.
Admittedly, a user might have already -- for an unrelated reason --
configured OpenSSL to disable client-initiated renegotiation, and
might have an expectation that there would be (in effect) propagation
of this choice into a Squid build. We feel that this isn't an obvious
expectation, especially because that type of propagation isn't
automatic: it requires that an OpenSSL-based product have
application-specific code to support the propagation.

There's no CVE ID for now. If there's a future case where either the
official Squid distribution, or a repackager, decides to
unconditionally force "defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)" to
be true as a vulnerability fix for an OpenSSL 0.9.8l-1.0.2
environment, then a CVE ID should then be available.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.