Bug#1003125: e2guardian: CVE-2021-44273
Moritz Mühlenhoff
jmm at inutil.org
Tue Jan 4 15:39:03 GMT 2022
Source: e2guardian
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for e2guardian.
CVE-2021-44273[0]:
| e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate
| validation in the SSL MITM engine. In standalone mode (i.e., acting as
| a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if
| built with OpenSSL v1.1.x, did not validate hostnames in certificates
| of the web servers that it connected to, and thus was itself
| vulnerable to MITM attacks.
https://www.openwall.com/lists/oss-security/2021/12/23/2
https://github.com/e2guardian/e2guardian/issues/707
Fixed by: https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2
Cheers,
Moritz
More information about the Debian-edu-pkg-team
mailing list