Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20150717172019.4BBA26C0013@smtpvmsrv1.mitre.org>
Date: Fri, 17 Jul 2015 13:20:19 -0400 (EDT)
From: cve-assign@...re.org
To: squid3@...enet.co.nz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Squid HTTP proxy CVE request

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>  - the "must" in "must be denied". "should" would be closer. It has been
> a public issue for a long time and to our knowledge no actual DoS has
> occured.

>  - other products had issues with client certificate authentication.
> None so far for us. If that is complained about we will likely re-enable
> it for that specific use case.


> When the OpenSSL library provides that flag definition, we set it

The case is somewhat unusual, but we feel that this seems "too
optional" to have a CVE ID.
http://wiki.squid-cache.org/SquidFaq/CompilingSquid doesn't tell the
user that the OpenSSL library (when an old version is used) must be
configured in a certain way to address a Squid vulnerability.
Admittedly, a user might have already -- for an unrelated reason --
configured OpenSSL to disable client-initiated renegotiation, and
might have an expectation that there would be (in effect) propagation
of this choice into a Squid build. We feel that this isn't an obvious
expectation, especially because that type of propagation isn't
automatic: it requires that an OpenSSL-based product have
application-specific code to support the propagation.

There's no CVE ID for now. If there's a future case where either the
official Squid distribution, or a repackager, decides to
unconditionally force "defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)" to
be true as a vulnerability fix for an OpenSSL 0.9.8l-1.0.2
environment, then a CVE ID should then be available.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVqTjaAAoJEKllVAevmvmsB2QH/irNR+AYV7bea/MTN3GdJymn
NqP9rlZXtfIDUuDnjJ24bg4+CYcglhbt4kK5rbGl4TBAFY6dd1YCZHwYR29iPPEE
lhTeuPXmlwWIDCyxN/tsdptvbatjrax8P0vc/7UAO0YgSSHTWPATrdCqZ1v03oYO
IPeB/Yd4Axk406h8HoKYIwnawr6ifjILlRDDL8io5fh6PXU3nJdwPeLjwPLbtXH6
tpDAPFhysF5YhZ4tNJxTOeIULS3D79M/wMn/+KpP3PQOFf+8RJY5Obg+KFKQ6XCk
/zDsppAMtcjQIduWiLxZHTU0bzaWidWpEM7ODSe6TEnBk8DATfMc06rapZNdoqo=
=L1eB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.