Date: Fri, 17 Jul 2015 13:20:19 -0400 (EDT) From: cve-assign@...re.org To: squid3@...enet.co.nz Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Squid HTTP proxy CVE request -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > - the "must" in "must be denied". "should" would be closer. It has been > a public issue for a long time and to our knowledge no actual DoS has > occured. > - other products had issues with client certificate authentication. > None so far for us. If that is complained about we will likely re-enable > it for that specific use case. > When the OpenSSL library provides that flag definition, we set it The case is somewhat unusual, but we feel that this seems "too optional" to have a CVE ID. http://wiki.squid-cache.org/SquidFaq/CompilingSquid doesn't tell the user that the OpenSSL library (when an old version is used) must be configured in a certain way to address a Squid vulnerability. Admittedly, a user might have already -- for an unrelated reason -- configured OpenSSL to disable client-initiated renegotiation, and might have an expectation that there would be (in effect) propagation of this choice into a Squid build. We feel that this isn't an obvious expectation, especially because that type of propagation isn't automatic: it requires that an OpenSSL-based product have application-specific code to support the propagation. There's no CVE ID for now. If there's a future case where either the official Squid distribution, or a repackager, decides to unconditionally force "defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)" to be true as a vulnerability fix for an OpenSSL 0.9.8l-1.0.2 environment, then a CVE ID should then be available. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVqTjaAAoJEKllVAevmvmsB2QH/irNR+AYV7bea/MTN3GdJymn NqP9rlZXtfIDUuDnjJ24bg4+CYcglhbt4kK5rbGl4TBAFY6dd1YCZHwYR29iPPEE lhTeuPXmlwWIDCyxN/tsdptvbatjrax8P0vc/7UAO0YgSSHTWPATrdCqZ1v03oYO IPeB/Yd4Axk406h8HoKYIwnawr6ifjILlRDDL8io5fh6PXU3nJdwPeLjwPLbtXH6 tpDAPFhysF5YhZ4tNJxTOeIULS3D79M/wMn/+KpP3PQOFf+8RJY5Obg+KFKQ6XCk /zDsppAMtcjQIduWiLxZHTU0bzaWidWpEM7ODSe6TEnBk8DATfMc06rapZNdoqo= =L1eB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.