oss-sec mailing list archives

Re: Squid Proxy multiple vulnerabilities

From: Amos Jeffries <squid3 () treenet co nz>
Date: Mon, 29 Oct 2018 07:43:50 +1300

On 29/10/18 6:21 AM, Hanno Böck wrote:

On Mon, 29 Oct 2018 05:13:40 +1300
Amos Jeffries wrote:

<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>


That gives a 404.


YMMV as third-party mirrors are still updating in some parts.


Also there's another yet unfixed vulnerability: The webpage and the
downloads are not using HTTPS, which makes them vulnerable to
man-in-the-middle attacks ;-)


This is intentional. We do not restrict to those able to access HTTPS.

Also, notice that issue is most relevant to installations routinely
MITM'ing the HTTPS protocol.


AYJ

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Hanno Böck (Oct 28)
  - Re: Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 29)
  - Re: Squid Proxy multiple vulnerabilities 面和毅 (Oct 29)
- Re: Squid Proxy multiple vulnerabilities Karol Babioch (Oct 31)
  - Re: Squid Proxy multiple vulnerabilities Karol Babioch (Nov 09)