| Name | CVE-2021-44273 |
| Description | e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if built with OpenSSL v1.1.x, did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3564-1 |
| Debian Bugs | 1003125 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| e2guardian (PTS) | buster | 5.3.1-1 | vulnerable |
| buster (security) | 5.3.1-1+deb10u1 | fixed | |
| bullseye | 5.3.4-1+deb11u1 | fixed | |
| bookworm | 5.3.5-4 | fixed | |
| sid, trixie | 5.5.4-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| e2guardian | source | buster | 5.3.1-1+deb10u1 | DLA-3564-1 | ||
| e2guardian | source | bullseye | 5.3.4-1+deb11u1 | |||
| e2guardian | source | (unstable) | 5.3.5-3 | 1003125 |
[stretch] - e2guardian <ignored> (SSL MITM engine not enabled in stretch)
https://www.openwall.com/lists/oss-security/2021/12/23/2
https://github.com/e2guardian/e2guardian/issues/707
Fixed by: https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2