October 12, 2023 at 08:26PM
35 vulnerabilities in the Squid caching proxy remain unfixed after more than two years, according to the person who reported them. The researcher found 55 flaws in Squid’s source code, but only 20 have been fixed. The remaining vulnerabilities do not have patches or workarounds, and some have not been assigned CVEs. The researcher has released the issues publicly due to the lack of progress. It is recommended that Squid users review the vulnerability descriptions and reassess whether it is the right solution for their system.
Meeting takeaways:
– There are 35 vulnerabilities in the Squid caching proxy that remain unfixed after being reported more than two years ago.
– Security researcher Joshua Rogers performed a security audit on Squid and found 55 flaws in the project’s source code.
– Only 20 of those flaws have been fixed to date, and the majority haven’t been assigned CVEs.
– Rogers has decided to publicly release the remaining issues after waiting for two and a half years.
– The Squid developers have not responded to the inquiries made by The Register.
– Rogers has listed 45 exploitable security issues with detailed technical information on GitHub.
– He found the flaws in Squid-5.0.5 and tested various components and configurations.
– Rogers acknowledges that the Squid maintainers may not have the resources to quickly fix all the issues.
– The responsibility for maintaining and supporting open source software is a larger topic of discussion.
– With over 2.5 million Squid instances available on the internet, users are advised to review the vulnerability descriptions and reassess whether Squid is suitable for their systems.