From ${URL} : "Squid HTTP Proxy configured with client-first SSL bumping does not correctly validate server certificate hostname fields. As a result malicious server responses can wrongly be presented through the proxy to clients as secure authenticated HTTPS responses." Affected versions are: 3.2.1 -> 3.2.13 3.3.1 -> 3.3.13 3.4.1 -> 3.4.12 3.5.1 -> 3.5.3 Fixed in versions (to be released in ~24hrs) 3.5.4, 3.4.13, 3.3.14, and 3.2.14. Upstream advisory (when published) will be at: http://www.squid-cache.org/Advisories/SQUID-2015_1.txt @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*squid-3.5.4 (01 May 2015) +*squid-3.4.13 (01 May 2015) + + 01 May 2015; Eray Aslan <eras@gentoo.org> +squid-3.4.13.ebuild, + +squid-3.5.4.ebuild: + Security bump - bug #548228 + Arches, please test and mark stable =net-proxy/squid-3.5.4. Target Keywords = alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 sparc will have to stabilize net-libs/libecap-1.0.0 as well - bug #495854
Please put the atoms on a separate line where they are easy to spot.
Stable for HPPA PPC64.
amd64 stable
ia64 stable
sparc stable
ppc stable
x86 stable
arm stable
CVE-2015-3455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3455): Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, does not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
Ping for alpha stabilization.
(In reply to Yury German from comment #11) > Ping for alpha stabilization. i had a problem with autogen compilation on alpha as squid dependency, i will file a bug soon.
alpha stable. Maintainer(s), please cleanup. Security, please vote.
Adding back sparc as it is still missing stabilization.
will continue with bug 554168
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA Vote: No