Bug 1191329 (CVE-2021-41611)

Summary: VUL-0: CVE-2021-41611: squid,squid3: improper certificate validation
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: abergmann, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/311736/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-10-05 12:13:20 UTC

A remote server can obtain security trust even if the trust is not valid, when multiple CAs have signed the TLS server certificate or in cases
of broken server certificate chains. This indication of trust may be passed along to clients allowing access to unsafe or hijacked services.

Upstream Advisory:


Comment 1 Alexander Bergmann 2021-10-05 12:15:38 UTC
This issue is not affecting SLE and openSUSE.

All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.

Even openSUSE:Factory is still on version 4.16.

Closing as invalid.