Bug 1074870 (CVE-2014-0128)

Summary: CVE-2014-0128 squid: denial of service when using SSL-Bump
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: henrik, jkurik, jonathansteffan, mluscon, myamazak, pfrields, psimerda, thozza, vdanen, vg.aetera
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.3.12, squid 3.4.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-03 17:01:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1074871, 1074873, 1098134, 1098135    
Bug Blocks: 1074872    

Description Murray McAllister 2014-03-11 07:23:48 UTC 
A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion.

This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4.

[1] http://wiki.squid-cache.org/Features/SslBump

Upstream patches:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch

Acknowledgements:

Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open Systems AG as the original reporters.

External References:

http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
Comment 1 Murray McAllister 2014-03-11 07:26:16 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1074871]
Comment 3 Fedora Update System 2014-04-02 09:18:55 UTC 
squid-3.3.12-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Vincent Danen 2014-04-28 14:48:56 UTC 
Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 as they did not include support for SSL-bump.
Comment 5 Vincent Danen 2014-04-28 14:52:26 UTC 
Mitigation:

To work-around this issue, disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives.  Alternatively, disable the SSL-bump feature completely by removing the "ssl-bump" option from all http_port and/or https_port configuration directives.
Comment 7 errata-xmlrpc 2014-06-03 16:16:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0597 https://rhn.redhat.com/errata/RHSA-2014-0597.html