[squid-users] 2 year old security bugs not fixed?
Amos Jeffries
squid3 at treenet.co.nz
Fri Oct 13 16:49:28 UTC 2023
On 14/10/23 04:19, Dieter Bloms wrote:
> Hello,
>
> I stumbled across this page
> https://joshua.hu/squid-security-audit-35-0days-45-exploits and wonder
> if all these security holes are really still there.
>
> Can someone from the developers give a status?
>
> Thank you very much.
>
We continue to close the vulnerabilities we can. In the order we deem
most urgent based on what we know of common use cases for Squid.
Some issues listed are missing their fix references, so the situation is
(slightly) better than first appearances. Right now I am going through
the list again cross-checking his given titles against our security team
records to make sure all of them have had the appropriate triage done
and get his CVE references updated.
To quote the article:
"
The Squid Team have been helpful and supportive during the process of
reporting these issues. However, they are effectively understaffed, and
simply do not have the resources to fix the discovered issues. Hammering
them with demands to fix the issues won’t get far.
"
If anyone wishes to help please volunteer in squid-dev or squid-bugs
mailing lists. <https://wiki.squid-cache.org/DeveloperResources/> has
all the starter info.
Amos
More information about the squid-users
mailing list