[squid-users] host header forgery false positives
Yuri Voinov
yvoinov at gmail.com
Tue Feb 16 09:47:12 UTC 2016
I confirm - I've seen this issue in cache.log too.
16.02.16 11:25, Amos Jeffries пишет:
> On 16/02/2016 3:12 p.m., Jason Haar wrote:
>> On Tue, Feb 16, 2016 at 2:48 AM, Amos Jeffries wrote:
>>
>>> Thanks for the reminder. I dont recall seeing a bug report being made.
>>> Though Jason has sent me a more detailed cache.log trace to work with.
>>>
>>
>> Yeah - I actually got half-way through putting in a bug report twice - but
>> ditched it for this and that reason. There's also evidence that this
>> affects http as well as https. When I was digging through the 2G cache.log
>> file for the SSL intercept related forgery samples, I found some http
>> related ones too. I wonder if this is generic to all intercept traffic
>> instead of https specific?
>>
> Ah. If it is the same thing, then it probably is bug 3940. The patch in
> there seems to work as a temporary fix, I am just holding off applying
> until we can audit to ensure the flags are used correcty everywhere else
> as well.
>
> PS. that audit was supposed to start yesterday, but got stuck with a
> vulnerability issue this week. Looks like it will begin later today.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list