Summary: | <net-proxy/squid-3.5.4: certificate validation issue (CVE-2015-3455) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | eras |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/04/30/2 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 554168 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-04-30 10:26:23 UTC
+*squid-3.5.4 (01 May 2015) +*squid-3.4.13 (01 May 2015) + + 01 May 2015; Eray Aslan <eras@gentoo.org> +squid-3.4.13.ebuild, + +squid-3.5.4.ebuild: + Security bump - bug #548228 + Arches, please test and mark stable =net-proxy/squid-3.5.4. Target Keywords = alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 sparc will have to stabilize net-libs/libecap-1.0.0 as well - bug #495854 Please put the atoms on a separate line where they are easy to spot. Stable for HPPA PPC64. amd64 stable ia64 stable sparc stable ppc stable x86 stable arm stable CVE-2015-3455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3455): Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, does not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate. Ping for alpha stabilization. (In reply to Yury German from comment #11) > Ping for alpha stabilization. i had a problem with autogen compilation on alpha as squid dependency, i will file a bug soon. alpha stable. Maintainer(s), please cleanup. Security, please vote. Adding back sparc as it is still missing stabilization. will continue with bug 554168 Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No |