Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 548228 (CVE-2015-3455)

Summary: <net-proxy/squid-3.5.4: certificate validation issue (CVE-2015-3455)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eras
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/04/30/2
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 554168    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-04-30 10:26:23 UTC
From ${URL} :

"Squid HTTP Proxy configured with client-first SSL bumping does not
correctly validate server certificate hostname fields. As a result
malicious server responses can wrongly be presented through the proxy
to clients as secure authenticated HTTPS responses."

Affected versions are:
 3.2.1 -> 3.2.13
 3.3.1 -> 3.3.13
 3.4.1 -> 3.4.12
 3.5.1 -> 3.5.3

Fixed in versions (to be released in ~24hrs) 3.5.4, 3.4.13, 3.3.14,
and 3.2.14.

Upstream advisory (when published) will be at:
 http://www.squid-cache.org/Advisories/SQUID-2015_1.txt



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Eray Aslan gentoo-dev 2015-05-01 21:11:29 UTC
+*squid-3.5.4 (01 May 2015)
+*squid-3.4.13 (01 May 2015)
+
+  01 May 2015; Eray Aslan <eras@gentoo.org> +squid-3.4.13.ebuild,
+  +squid-3.5.4.ebuild:
+  Security bump - bug #548228
+

Arches, please test and mark stable =net-proxy/squid-3.5.4.

Target Keywords = alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

sparc will have to stabilize net-libs/libecap-1.0.0 as well - bug #495854
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-02 10:09:53 UTC
Please put the atoms on a separate line where they are easy to spot.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-03 07:14:09 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-04 10:07:02 UTC
amd64 stable
Comment 5 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:43:17 UTC
ia64 stable
Comment 6 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 06:26:24 UTC
sparc stable
Comment 7 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 06:48:17 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-05-19 07:25:40 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-05-27 13:02:00 UTC
arm stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-05-28 22:01:31 UTC
CVE-2015-3455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3455):
  Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and
  3.5.x before 3.5.4, when configured with client-first SSL-bump, does not
  properly validate the domain or hostname fields of X.509 certificates, which
  allows man-in-the-middle attackers to spoof SSL servers via a valid
  certificate.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 18:56:34 UTC
Ping for alpha stabilization.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-30 20:10:34 UTC
(In reply to Yury German from comment #11)
> Ping for alpha stabilization.

i had a problem with autogen compilation on alpha as squid dependency, i will file a bug soon.
Comment 13 Agostino Sarubbo gentoo-dev 2015-07-03 10:04:25 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Eray Aslan gentoo-dev 2015-07-03 11:05:02 UTC
Adding back sparc as it is still missing stabilization.
Comment 15 Pacho Ramos gentoo-dev 2015-07-19 12:45:02 UTC
will continue with bug 554168
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 13:34:05 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-09-08 06:31:45 UTC
GLSA Vote: No