Bug 1074870 (CVE-2014-0128) - CVE-2014-0128 squid: denial of service when using SSL-Bump
Summary: CVE-2014-0128 squid: denial of service when using SSL-Bump
Alias: CVE-2014-0128
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1074871 1074873 1098134 1098135
Blocks: 1074872
TreeView+ depends on / blocked
Reported: 2014-03-11 07:23 UTC by Murray McAllister
Modified: 2023-05-12 02:38 UTC (History)
10 users (show)

Fixed In Version: squid 3.3.12, squid 3.4.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-03 17:01:45 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0597 0 normal SHIPPED_LIVE Moderate: squid security update 2014-06-03 20:16:40 UTC

Description Murray McAllister 2014-03-11 07:23:48 UTC
A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion.

This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4.

[1] http://wiki.squid-cache.org/Features/SslBump

Upstream patches:


Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open Systems AG as the original reporters.

External References:


Comment 1 Murray McAllister 2014-03-11 07:26:16 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1074871]

Comment 3 Fedora Update System 2014-04-02 09:18:55 UTC
squid-3.3.12-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Vincent Danen 2014-04-28 14:48:56 UTC

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 as they did not include support for SSL-bump.

Comment 5 Vincent Danen 2014-04-28 14:52:26 UTC

To work-around this issue, disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives.  Alternatively, disable the SSL-bump feature completely by removing the "ssl-bump" option from all http_port and/or https_port configuration directives.

Comment 7 errata-xmlrpc 2014-06-03 16:16:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0597 https://rhn.redhat.com/errata/RHSA-2014-0597.html

Note You need to log in before you can comment on or make changes to this bug.