Hot off the press!!!
-
Just got an update on Squid working on bug fixes. Looks like 7 is the version that mitigates most of all of them.
The Squid Project apologizes for being late in responding to the
publication of 55 vulnerabilities disclosed by Joshua Rogers of Opera Software
at https://megamansec.github.io/Squid-Security-Audit/We thank Joshua for discovering these bugs and sharing their details with us.
The surprise publication caught us off guard, but Squid
developers had worked on addressing some of the disclosed vulnerabilities
since before that publication. This message summarizes Squid's status on
October 9th, 2024.As of Squid v6.8, the vast majority of high-impact vulnerabilities have been
addressed. The following disclosed vulnerabilities are still present:Vulnerability “strlen(NULL) Crash Using Digest Authentication”
This vulnerability is still present in Squid v6.11. A fix is expected in Squid
v6.12, due any day now.
Digest authentication is disabled by default; the current workaround is
to avoid Digest authentication.To verify whether your Squid configuration is vulnerable, check whether it
contains "auth_param” directive. Configurations with auth_param directives
mentioning "digest" scheme may be vulnerable.pipeline_prefetch (HTTP pipelining of client-to-Squid requests)
All reported pipelining-related vulnerabilities may still be present in Squid
v6. Pipelining code will probably be removed in master branch and become
unavailable in Squid v7. Pipelining is disabled by default.If you do not need pipelining (or do not know for sure that you need it), do
not enable that performance optimization.To verify whether your Squid configuration is vulnerable, check whether it
contains a pipeline_prefetch directive. Configurations containing a
pipeline_prefetch directive set to a positive value may be vulnerable.ESI (Edge Side Includes)
Most reported ESI-related vulnerabilities are still present in Squid v6. ESI
code has been removed in the master branch and will not be available
in Squid v7.
ESI is disabled in the default build starting with Squid v6.10. In earlier
versions, ESI code is enabled by default, but the risk is moderate because
exploiting this family of vulnerabilities requires Squid to be
configured as a reverse proxy for a malicious origin server.If you do not need ESI (or do not know whether you need it), disable it with
--disable-esi
(default for Squid v6.10 and later).To verify whether your Squid build is vulnerable, run
squid -v
. Squid v6.9
and earlier versions may be vulnerable unless the output contains
--disable-esi
. Squid v6.10 and later versions may be vulnerable if the
output contains--enable-esi
.Squid v5
Some fixes were backported to Squid v5, but we lack the resources necessary to
support that old version. Folks running Squid v5 and earlier versions should
either upgrade to the latest v6 release or rely on their
integrator/distributor for support.--
Francesco Chemolli
Squid Software Foundation
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users"I personally utilize a custom config that resolves most of the issues I had, I cache Windows 11 updates etc, I have timer locks on when it can be used mac address to ip confirmation before proxy use, I also use broken trusted server lists to fix the issues with trust issues with reserving updates. It took many years for me to get it to work the way I needed. But Squid's software is configured with PHP code that basically sets up Squid. Squid is a huge program Netgate manages the PHP stuff to make it work within the firewall.