On Wed, Nov 18, 2009 at 10:25 PM, The Psycho Chicken
<[email protected]> wrote:
> Hi,
>
> Has anyone looked at the impact of the recent TLS/SSL vulnerability
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) on Squid? If
> you're using Squid as a HTTPS reverse proxy then it has SSL exposed to the
> Internet.
>
> I haven't noticed anything in the mailing lists.
Squid is as vulnerable as any other product based on SSL.
Unfortunately there's not much we developers can do. The burden falls
on the (open)ssl library implementors, and all we can do is wait.
Some OS vendors have already started shipping an updated ssl library
which somehow plugs the hole. After that (dynamic) library has been
installed on the host OS, Squid (after a restart at most) is
immediately protected from the flaw.
--
/kinkie
