CVE-2014-0128
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2014-0128 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 as they did not include support for SSL-bump.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (squid) | RHSA-2014:0597 | 2014-06-03 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | squid | Not affected |
| Red Hat Enterprise Linux 5 | squid | Not affected |
Acknowledgements
Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open Systems AG as the original reporters.Mitigation
To work-around this issue, disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives. Alternatively, disable the SSL-bump feature completely by removing the "ssl-bump" option from all http_port and/or https_port configuration directives.
External References
CVE description copyright © 2017, The MITRE Corporation