[squid-users] Upgradation of squid version 3.5.27 on ubuntu 18.04

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 1 11:38:36 UTC 2021 

On 30/09/21 1:26 am, sheik abdul wrote:
> Hellow TEam,
> 
> Hope you're doing well!
> 
> I have installed Ubuntu 18.04 (Bionic) with the squid version of 3.5.27 
> (maybe that's that latest version) .

That is the squid version shipped by Ubuntu 18.04 LTS.

> I'm always getting in the 
> Vulnerability list and stats that need to upgrade to the latest version 
> of squid so that I can avoid those vuln.

An upgrade of Squid is not going to help avoid the "issue" you list below.

For two reasons:
  1) It is a side effect of the build environment used to build Squid, 
not the Squid code itself.

  2) The Squid security team rejected the CVE you reference. On grounds 
that behaviour is intentional - the Squid main/'master' process never 
actually finishes with root privileges. It needs to be able to start and 
assign some child processes high privileges from time to time.



> Please find the below vuln. details for you ref.
> 
> https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt 
> <https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt>
> 

Before worrying, please notice that document states the behaviour does 
not occur in the HAVE_SETRESUID or HAVE_SETEUID code.

The OS function setresuid() has been provided by Linux since 2.1 and 
glibc since 2.3.2. Both predate Ubuntu 18.* by many years. So I am 
doubtful your Squid is actually relevant to that documented behaviour. 
If that HAVE_SETRESUID code is not being built, that is an issue the 
vendor building your Squid package (Ubuntu) needs to fix.


> And I just want to know whether is possible to update the squid version 
> in ubuntu 18 because it's already been in the latest version but I'm not 
> sure why it's asking us to update the latest version(from 4.1 to 5 
> onwards ).

What is asking you to upgrade? Squid does not ask such things. AFAIK, 
Ubuntu package managers will only mention upgrades if the repositories 
you are using actually have a newer version available - at which point a 
regular "apt upgrade" command should do it for you.


Cheers
Amos

More information about the squid-users mailing list