Attachment #158423 for bug #201374

View | Details | Raw Unified | Return to bug 201374 | Differences between
Collapse All | Expand All





-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="150d1538-23fa-11e5-a4a5-002590263bf5">
    <topic>squid -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><ge>3.5</ge><lt>3.5.6</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Amos Jeffries, Squid-3 release manager, reports:</p>
	<blockquote cite="http://openwall.com/lists/oss-security/2015/07/06/8">
	  <p>Due to incorrect handling of peer responses in a hierarchy of 2 or
	    more proxies remote clients (or scripts run on a client) are able to
	    gain unrestricted access through a gateway proxy to its backend
	    proxy.</p>
	  <p>If the two proxies have differing levels of security this could
	    lead to authentication bypass or unprivileged access to supposedly
	    secure resources.</p>
	  <p>Squid up to and including 3.5.5 are apparently vulnerable to DoS
	    attack from malicious clients using repeated TLS renegotiation
	    messages. This has not been verified as it also seems to require
	    outdated (0.9.8l and older) OpenSSL libraries.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <mlist>http://openwall.com/lists/oss-security/2015/07/06/8</mlist>
    </references>
    <dates>
      <discovery>2015-07-06</discovery>
      <entry>2015-07-06</entry>
    </dates>
  </vuln>

  <vuln vid="b6da24da-23f7-11e5-a4a5-002590263bf5">
    <topic>squid -- client-first SSL-bump does not correctly validate X509 server certificate</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><ge>3.5</ge><lt>3.5.4</lt></range>
	<range><ge>3.4</ge><lt>3.4.13</lt></range>
      </package>
      <package>
	<name>squid33</name>
	<range><ge>3.3</ge><lt>3.3.14</lt></range>
      </package>
      <package>
	<name>squid32</name>
	<range><ge>3.2</ge><lt>3.2.14</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Squid security advisory 2015:1 reports:</p>
	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2015_1.txt">
	  <p>Squid configured with client-first SSL-bump does not correctly
	    validate X509 server certificate domain / hostname fields.</p>
	  <p>The bug is important because it allows remote servers to bypass
	    client certificate validation. Some attackers may also be able
	    to use valid certificates for one domain signed by a global
	    Certificate Authority to abuse an unrelated domain.</p>
	  <p>However, the bug is exploitable only if you have configured
	    Squid to perform SSL Bumping with the "client-first" or "bump"
	    mode of operation.</p>
	  <p>Sites that do not use SSL-Bump are not vulnerable.</p>
	  <p>All Squid built without SSL support are not vulnerable to the
	    problem.</p>
	</blockquote>
	<p>The FreeBSD port does not use SSL by default and is not vulnerable
	  in the default configuration.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2015-3455</cvename>
      <url>http://www.squid-cache.org/Advisories/SQUID-2015_1.txt</url>
    </references>
    <dates>
      <discovery>2015-05-01</discovery>
      <entry>2015-07-06</entry>
    </dates>
  </vuln>

  <vuln vid="72fccfdf-2061-11e5-a4a5-002590263bf5">
    <topic>ansible -- multiple vulnerabilities</topic>
    <affects>

Return to bug 201374

Lines 57-62 Link Here

(-)vuln.xml (+83 lines)
57		57
58	-->	58	-->
59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		60	<vuln vid="150d1538-23fa-11e5-a4a5-002590263bf5">
		61	<topic>squid -- multiple vulnerabilities</topic>
		62	<affects>
		63	<package>
		64	<name>squid</name>
		65	<range><ge>3.5</ge><lt>3.5.6</lt></range>
		66	</package>
		67	</affects>
		68	<description>
		69	<body xmlns="http://www.w3.org/1999/xhtml">
		70	<p>Amos Jeffries, Squid-3 release manager, reports:</p>
		71	<blockquote cite="http://openwall.com/lists/oss-security/2015/07/06/8">
		72	<p>Due to incorrect handling of peer responses in a hierarchy of 2 or
		73	more proxies remote clients (or scripts run on a client) are able to
		74	gain unrestricted access through a gateway proxy to its backend
		75	proxy.</p>
		76	<p>If the two proxies have differing levels of security this could
		77	lead to authentication bypass or unprivileged access to supposedly
		78	secure resources.</p>
		79	<p>Squid up to and including 3.5.5 are apparently vulnerable to DoS
		80	attack from malicious clients using repeated TLS renegotiation
		81	messages. This has not been verified as it also seems to require
		82	outdated (0.9.8l and older) OpenSSL libraries.</p>
		83	</blockquote>
		84	</body>
		85	</description>
		86	<references>
		87	<mlist>http://openwall.com/lists/oss-security/2015/07/06/8</mlist>
		88	</references>
		89	<dates>
		90	<discovery>2015-07-06</discovery>
		91	<entry>2015-07-06</entry>
		92	</dates>
		93	</vuln>
		94
		95	<vuln vid="b6da24da-23f7-11e5-a4a5-002590263bf5">
		96	<topic>squid -- client-first SSL-bump does not correctly validate X509 server certificate</topic>
		97	<affects>
		98	<package>
		99	<name>squid</name>
		100	<range><ge>3.5</ge><lt>3.5.4</lt></range>
		101	<range><ge>3.4</ge><lt>3.4.13</lt></range>
		102	</package>
		103	<package>
		104	<name>squid33</name>
		105	<range><ge>3.3</ge><lt>3.3.14</lt></range>
		106	</package>
		107	<package>
		108	<name>squid32</name>
		109	<range><ge>3.2</ge><lt>3.2.14</lt></range>
		110	</package>
		111	</affects>
		112	<description>
		113	<body xmlns="http://www.w3.org/1999/xhtml">
		114	<p>Squid security advisory 2015:1 reports:</p>
		115	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2015_1.txt">
		116	<p>Squid configured with client-first SSL-bump does not correctly
		117	validate X509 server certificate domain / hostname fields.</p>
		118	<p>The bug is important because it allows remote servers to bypass
		119	client certificate validation. Some attackers may also be able
		120	to use valid certificates for one domain signed by a global
		121	Certificate Authority to abuse an unrelated domain.</p>
		122	<p>However, the bug is exploitable only if you have configured
		123	Squid to perform SSL Bumping with the "client-first" or "bump"
124	mode of operation.</p>
125	<p>Sites that do not use SSL-Bump are not vulnerable.</p>
126	<p>All Squid built without SSL support are not vulnerable to the
127	problem.</p>
128	</blockquote>
129	<p>The FreeBSD port does not use SSL by default and is not vulnerable
130	in the default configuration.</p>
131	</body>
132	</description>
133	<references>
134	<cvename>CVE-2015-3455</cvename>
135	<url>http://www.squid-cache.org/Advisories/SQUID-2015_1.txt</url>
136	</references>
137	<dates>
138	<discovery>2015-05-01</discovery>
139	<entry>2015-07-06</entry>
140	</dates>
141	</vuln>
142
60	<vuln vid="72fccfdf-2061-11e5-a4a5-002590263bf5">	143	<vuln vid="72fccfdf-2061-11e5-a4a5-002590263bf5">
61	<topic>ansible -- multiple vulnerabilities</topic>	144	<topic>ansible -- multiple vulnerabilities</topic>
62	<affects>	145	<affects>