[squid-users] XSS issue only affects bump doesn't it?

Discussion:

[squid-users] XSS issue only affects bump doesn't it?

Jason Haar

2018-10-28 20:20:24 UTC

Hi there

I'm running a vulnerable version of squid (ie "--with-openssl" and
"--enable-ssl") but due to issues with bumping not working well, don't
actually do it (ie sslcrtd_program and ssl_bump not defined/etc).

So does that mean we can't actually be affected by this vulnerability?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Amos Jeffries

2018-10-29 00:39:51 UTC

Post by Jason Haar
Hi there
I'm running a vulnerable version of squid (ie "--with-openssl" and
"--enable-ssl") but due to issues with bumping not working well, don't
actually do it (ie sslcrtd_program and ssl_bump not defined/etc).
So does that mean we can't actually be affected by this vulnerability?

The problem is in the error page generated. So while it is most visible
with bump'ed traffic it also can occur whenever Squid is the agent
performing the TLS handshake with a server.

Amos

1 Reply
4 Views
Permalink to this page
Disable enhanced parsing

Thread Navigation

Jason Haar 2018-10-28 20:20:24 UTC

Amos Jeffries 2018-10-29 00:39:51 UTC

about - legalese

Loading...