Bug 2010685 (CVE-2021-41611) - CVE-2021-41611 squid: improper certificate validation
Summary: CVE-2021-41611 squid: improper certificate validation
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-41611
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2010686 2011031
Blocks: 2010687
TreeView+ depends on / blocked
 
Reported: 2021-10-05 10:57 UTC by Marian Rehak
Modified: 2024-04-03 16:01 UTC (History)
4 users (show)

Fixed In Version: squid 5.2
Doc Type: If docs needed, set a value
Doc Text:
The squid proxy package may incorrectly classify certain certificates as trusted. This can allow traffic to obtain security trust when the trust is not valid. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2022-04-18 00:27:51 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2021-10-05 10:57:32 UTC 
A remote server can obtain security trust even if the trust is not valid, when multiple CAs have signed the TLS server certificate or in cases
of broken server certificate chains. This indication of trust may be passed along to clients allowing access to unsafe or hijacked services.

Upstream Advisory:

https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r
Comment 1 Marian Rehak 2021-10-05 10:57:47 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 2010686]
Comment 3 devthomp 2021-10-06 13:11:52 UTC 
Patch:
http://www.squid-cache.org/Versions/v5/changesets/squid-5-533b4359f16cf9ed15a6d709a57a4b06e4222cfe.patch
Comment 4 Product Security DevOps Team 2022-04-18 00:27:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41611
Note You need to log in before you can comment on or make changes to this bug.