XSS issue only affects bump doesn't it?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

XSS issue only affects bump doesn't it?

Jason Haar-2
Hi there

I'm running a vulnerable version of squid (ie "--with-openssl" and "--enable-ssl") but due to issues with bumping not working well, don't actually do it (ie sslcrtd_program and ssl_bump not defined/etc).

So does that mean we can't actually be affected by this vulnerability?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: XSS issue only affects bump doesn't it?

Amos Jeffries
Administrator
On 29/10/18 9:20 AM, Jason Haar wrote:
> Hi there
>
> I'm running a vulnerable version of squid (ie "--with-openssl" and
> "--enable-ssl") but due to issues with bumping not working well, don't
> actually do it (ie sslcrtd_program and ssl_bump not defined/etc).
>
> So does that mean we can't actually be affected by this vulnerability?

The problem is in the error page generated. So while it is most visible
with bump'ed traffic it also can occur whenever Squid is the agent
performing the TLS handshake with a server.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users