[squid-users] XSS issue only affects bump doesn't it?

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 29 00:39:51 UTC 2018


On 29/10/18 9:20 AM, Jason Haar wrote:
> Hi there
> 
> I'm running a vulnerable version of squid (ie "--with-openssl" and
> "--enable-ssl") but due to issues with bumping not working well, don't
> actually do it (ie sslcrtd_program and ssl_bump not defined/etc).
> 
> So does that mean we can't actually be affected by this vulnerability?

The problem is in the error page generated. So while it is most visible
with bump'ed traffic it also can occur whenever Squid is the agent
performing the TLS handshake with a server.

Amos


More information about the squid-users mailing list