[v3.1] squid: man-in-the-middle (CVE-2015-3455)
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, does not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
http://seclists.org/oss-sec/2015/q2/316
CONFIRM: http://advisories.mageia.org/MGASA-2015-0191.html
CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2015\_1.txt
http://www.mandriva.com/security/advisories?name=MDVSA-2015:230
http://www.securitytracker.com/id/1032221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455
(from redmine: issue id 4225, created on 2015-05-22, closed on 2016-06-24)
- Relations:
- parent #4221 (closed)
- Changesets:
- Revision 5c624c72 by Natanael Copa on 2015-12-02T10:27:57Z:
main/squid: security upgrade to 3.4.14 (CVE-2015-3455,CVE-2015-5400)
fixes #4225
fixes #4708