Descriptione2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if built with OpenSSL v1.1.x, did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1003125

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
e2guardian (PTS)buster5.3.1-1vulnerable
bookworm, sid5.3.5-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - e2guardian <no-dsa> (Minor issue)
[stretch] - e2guardian <ignored> (SSL MITM engine not enabled in stretch)
Fixed by:

Search for package or bug name: Reporting problems