A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion. This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4. [1] http://wiki.squid-cache.org/Features/SslBump Upstream patches: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch Acknowledgements: Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open Systems AG as the original reporters. External References: http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1074871]
squid-3.3.12-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 as they did not include support for SSL-bump.
Mitigation: To work-around this issue, disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives. Alternatively, disable the SSL-bump feature completely by removing the "ssl-bump" option from all http_port and/or https_port configuration directives.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0597 https://rhn.redhat.com/errata/RHSA-2014-0597.html