Bug 1191329 - (CVE-2021-41611) VUL-0: CVE-2021-41611: squid,squid3: improper certificate validation
(CVE-2021-41611)
VUL-0: CVE-2021-41611: squid,squid3: improper certificate validation
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/311736/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-05 12:13 UTC by Alexander Bergmann
Modified: 2021-10-05 12:15 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-10-05 12:13:20 UTC
rh#2010685

A remote server can obtain security trust even if the trust is not valid, when multiple CAs have signed the TLS server certificate or in cases
of broken server certificate chains. This indication of trust may be passed along to clients allowing access to unsafe or hijacked services.

Upstream Advisory:

https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2010685
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41611
Comment 1 Alexander Bergmann 2021-10-05 12:15:38 UTC
This issue is not affecting SLE and openSUSE.

All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.

Even openSUSE:Factory is still on version 4.16.

Closing as invalid.