Bug 1074870 - (CVE-2014-0128) CVE-2014-0128 squid: denial of service when using SSL-Bump
CVE-2014-0128 squid: denial of service when using SSL-Bump
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140309,repor...
: Security
Depends On: 1074871 1074873 1098134 1098135
Blocks: 1074872
  Show dependency treegraph
 
Reported: 2014-03-11 03:23 EDT by Murray McAllister
Modified: 2015-10-15 14:16 EDT (History)
10 users (show)

See Also:
Fixed In Version: squid 3.3.12, squid 3.4.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-03 13:01:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0597 normal SHIPPED_LIVE Moderate: squid security update 2014-06-03 16:16:40 EDT

  None (edit)
Description Murray McAllister 2014-03-11 03:23:48 EDT
A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion.

This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4.

[1] http://wiki.squid-cache.org/Features/SslBump

Upstream patches:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch

Acknowledgements:

Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open Systems AG as the original reporters.

External References:

http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
Comment 1 Murray McAllister 2014-03-11 03:26:16 EDT
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1074871]
Comment 3 Fedora Update System 2014-04-02 05:18:55 EDT
squid-3.3.12-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Vincent Danen 2014-04-28 10:48:56 EDT
Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 as they did not include support for SSL-bump.
Comment 5 Vincent Danen 2014-04-28 10:52:26 EDT
Mitigation:

To work-around this issue, disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives.  Alternatively, disable the SSL-bump feature completely by removing the "ssl-bump" option from all http_port and/or https_port configuration directives.
Comment 7 errata-xmlrpc 2014-06-03 12:16:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0597 https://rhn.redhat.com/errata/RHSA-2014-0597.html

Note You need to log in before you can comment on or make changes to this bug.