Upstream information

CVE-2015-3455 at MITRE

Description

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 2.6 5.8
Vector AV:N/AC:H/Au:N/C:N/I:P/A:N AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network Network
Access Complexity High Medium
Authentication None None
Confidentiality Impact None Partial
Integrity Impact Partial Partial
Availability Impact None None
SUSE Bugzilla entry: 929493 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Server 12 SP1
  • squid >= 3.3.14-20.2
Patchnames:
SUSE-SLE-SERVER-12-SP1-2016-1184
openSUSE 13.1
  • squid >= 3.3.13-2.17.1
  • squid-debuginfo >= 3.3.13-2.17.1
  • squid-debugsource >= 3.3.13-2.17.1
Patchnames:
openSUSE-2015-581
openSUSE Leap 42.1
  • squid >= 3.3.14-6.1
  • squid-debuginfo >= 3.3.14-6.1
  • squid-debugsource >= 3.3.14-6.1
Patchnames:
openSUSE-2016-988


Status of this issue by product and package

Product(s) Source package State
SUSE Linux Enterprise Server 11 SP2 squid Not affected
SUSE Linux Enterprise Server 11 SP2 squid3 Not affected
SUSE Linux Enterprise Server 11 SP2 LTSS squid Not affected
SUSE Linux Enterprise Server 11 SP2 LTSS squid3 Not affected
SUSE Linux Enterprise Server 11 SP3 squid Not affected
SUSE Linux Enterprise Server 11 SP3 squid3 Not affected
SUSE Linux Enterprise Server 11 SP4 squid Not affected
SUSE Linux Enterprise Server 12 GA squid Released
SUSE Linux Enterprise Server 12 SP1 squid Released