More than two years have passed since the discovery of 35 vulnerabilities in the Squid caching proxy, and most of them are still not fixed, warns the security expert who first reported the problems.
In February 2021, security specialist Joshua Rogers conducted an analysis of Squid and identified 55 vulnerabilities in the project's code.
To date, only 20 of them have been eliminated. The majority of vulnerabilities have not received CVE designations, which means there are no official fixes or recommendations for eliminating them. Rogers, in a letter to the Openwall security community, said that after a long wait, he decided to publish this information.
Rogers detailed the vulnerabilities on his website, highlighting a variety of problems - use-after-free, memory leak, cache poisoning, assertion failure and other flaws in various components. At the same time, the specialist expressed understanding for the Squid team, noting that many developers of open-source projects work on a volunteer basis and cannot always quickly respond to such problems.
It's worth noting that Squid is currently in use in millions of instances around the world.
Rogers' recommendations imply that each user should independently evaluate whether Squid is suitable for their system. Otherwise, users may encounter failures and information security risks.
This situation reminds us all of the importance of regularly updating and keeping software secure. Otherwise, as Rogers emphasizes, βit wonβt do any good.β
This troubling episode raises serious questions about the security of open source projects and their ability to cope with a constant stream of new vulnerabilities.
It is hoped that community members and developers will take immediate action to address this threat in the future.
Letter to Joshua on Openwall (English)
Details of problems on Joshua's website (English)
Source: linux.org.ru