oss-sec mailing list archives
Re: Squid HTTP proxy CVE request
From: cve-assign () mitre org
Date: Fri, 17 Jul 2015 13:20:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- the "must" in "must be denied". "should" would be closer. It has been a public issue for a long time and to our knowledge no actual DoS has occured.
- other products had issues with client certificate authentication. None so far for us. If that is complained about we will likely re-enable it for that specific use case.
When the OpenSSL library provides that flag definition, we set it
The case is somewhat unusual, but we feel that this seems "too optional" to have a CVE ID. http://wiki.squid-cache.org/SquidFaq/CompilingSquid doesn't tell the user that the OpenSSL library (when an old version is used) must be configured in a certain way to address a Squid vulnerability. Admittedly, a user might have already -- for an unrelated reason -- configured OpenSSL to disable client-initiated renegotiation, and might have an expectation that there would be (in effect) propagation of this choice into a Squid build. We feel that this isn't an obvious expectation, especially because that type of propagation isn't automatic: it requires that an OpenSSL-based product have application-specific code to support the propagation. There's no CVE ID for now. If there's a future case where either the official Squid distribution, or a repackager, decides to unconditionally force "defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)" to be true as a vulnerability fix for an OpenSSL 0.9.8l-1.0.2 environment, then a CVE ID should then be available. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVqTjaAAoJEKllVAevmvmsB2QH/irNR+AYV7bea/MTN3GdJymn NqP9rlZXtfIDUuDnjJ24bg4+CYcglhbt4kK5rbGl4TBAFY6dd1YCZHwYR29iPPEE lhTeuPXmlwWIDCyxN/tsdptvbatjrax8P0vc/7UAO0YgSSHTWPATrdCqZ1v03oYO IPeB/Yd4Axk406h8HoKYIwnawr6ifjILlRDDL8io5fh6PXU3nJdwPeLjwPLbtXH6 tpDAPFhysF5YhZ4tNJxTOeIULS3D79M/wMn/+KpP3PQOFf+8RJY5Obg+KFKQ6XCk /zDsppAMtcjQIduWiLxZHTU0bzaWidWpEM7ODSe6TEnBk8DATfMc06rapZNdoqo= =L1eB -----END PGP SIGNATURE-----
Current thread:
- Squid HTTP proxy CVE request Amos Jeffries (Jul 06)
- Re: Squid HTTP proxy CVE request Amos Jeffries (Jul 08)
- Re: Squid HTTP proxy CVE request Reed Black (Jul 09)
- Re: Squid HTTP proxy CVE request Amos Jeffries (Jul 09)
- Re: Squid HTTP proxy CVE request Amos Jeffries (Jul 14)
- Re: Squid HTTP proxy CVE request Mark Felder (Jul 17)
- Re: Squid HTTP proxy CVE request cve-assign (Jul 17)
- Re: Re: Squid HTTP proxy CVE request Amos Jeffries (Jul 17)
- Re: Squid HTTP proxy CVE request cve-assign (Jul 17)