On 15/07/2013 4:34 a.m., Squid27User wrote:
Thanks for your reply. Being an enterprise, I'd have to prove it is a bug
before we can upgrade. Is it possible for you to let me know if there is any
possibility in the Squid 2.7 code where a new client connection (after a
timeout) can end up relaying a CONNECT to the server through SSL?
I can't be sure sorry. I've not worked with any of the 2.7 tunneling or
SSL code.
There is this if you require a reason to upgrade and are using traffic
interception:
http://www.squid-cache.org/Advisories/SQUID-2011_1.txt
"This problem allows any browser script to bypass local security and
retrieve arbitrary content from any source."
By "local security" we mean both Squid ACL permissions AND any network
firewall which is in place.
There are definitely things out there taking advantage of it already.
Amos
