It was found that when Squid was configured with client-first SSL-bump it did not correctly validate X509 server certificate domain / host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate.
This flaw is only exploitable Squid is configured to perform SSL Bumping with the "client-first" or "bump" mode of operation. Sites that do not use SSL-Bump are not vulnerable.
This flaw is fixed in Squid versions 3.5.4, 3.4.13, 3.3.14, and 3.2.14. All Squid-2.x, 3.0 and 3.1 are not vulnerable to this flaw.
This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 and 6.
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1218119]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2378 https://rhn.redhat.com/errata/RHSA-2015-2378.html
libecap-1.0.0-1.fc22, squid-3.5.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.