It was found that when Squid was configured with client-first SSL-bump it did not correctly validate X509 server certificate domain / host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate. This flaw is only exploitable Squid is configured to perform SSL Bumping with the "client-first" or "bump" mode of operation. Sites that do not use SSL-Bump are not vulnerable. This flaw is fixed in Squid versions 3.5.4, 3.4.13, 3.3.14, and 3.2.14. All Squid-2.x, 3.0 and 3.1 are not vulnerable to this flaw. External References: http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
Statement: This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 and 6.
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1218119]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2378 https://rhn.redhat.com/errata/RHSA-2015-2378.html
libecap-1.0.0-1.fc22, squid-3.5.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.