[squid-users] host header forgery false positives

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 16 05:25:57 UTC 2016


On 16/02/2016 3:12 p.m., Jason Haar wrote:
> On Tue, Feb 16, 2016 at 2:48 AM, Amos Jeffries wrote:
> 
>> Thanks for the reminder. I dont recall seeing a bug report being made.
>> Though Jason has sent me a more detailed cache.log trace to work with.
>>
> 
> 
> Yeah - I actually got half-way through putting in a bug report twice - but
> ditched it for this and that reason. There's also evidence that this
> affects http as well as https. When I was digging through the 2G cache.log
> file for the SSL intercept related forgery samples, I found some http
> related ones too. I wonder if this is generic to all intercept traffic
> instead of https specific?
> 

Ah. If it is the same thing, then it probably is bug 3940. The patch in
there seems to work as a temporary fix, I am just holding off applying
until we can audit to ensure the flags are used correcty everywhere else
as well.

PS. that audit was supposed to start yesterday, but got stuck with a
vulnerability issue this week. Looks like it will begin later today.

Amos



More information about the squid-users mailing list