Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html | third party advisory vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2015-2378.html | vendor advisory |
| http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html | third party advisory |
| http://lists.opensuse.org/opensuse-updates/2015-09/msg00016.html | vendor advisory |
| http://www.securityfocus.com/bid/74438 | vdb entry |
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | third party advisory |
| http://www.securitytracker.com/id/1032221 | vdb entry third party advisory |
| http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html | vendor advisory |
| http://advisories.mageia.org/MGASA-2015-0191.html | third party advisory |
| http://www.mandriva.com/security/advisories?name=MDVSA-2015:230 | vendor advisory broken link |
| http://www.squid-cache.org/Advisories/SQUID-2015_1.txt | vendor advisory |