Bug 1191329 (CVE-2021-41611)

Summary:	VUL-0: CVE-2021-41611: squid,squid3: improper certificate validation
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexander Bergmann <abergmann>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	abergmann, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/311736/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexander Bergmann 2021-10-05 12:13:20 UTC

rh#2010685

A remote server can obtain security trust even if the trust is not valid, when multiple CAs have signed the TLS server certificate or in cases
of broken server certificate chains. This indication of trust may be passed along to clients allowing access to unsafe or hijacked services.

Upstream Advisory:

https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2010685
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41611

Comment 1 Alexander Bergmann 2021-10-05 12:15:38 UTC

This issue is not affecting SLE and openSUSE.

All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.

Even openSUSE:Factory is still on version 4.16.

Closing as invalid.