back to article Squid games: 35 security holes still unpatched in proxy after 2 years, now public

35 vulnerabilities in the Squid caching proxy remain unfixed more than two years after being found and disclosed to the open source project's maintainers, according to the person who reported them. Squid is a caching and forwarding HTTP web proxy that is very widely used by ISPs and website operators. In February 2021, …

  1. b0llchit Silver badge

    Many projects live on the "submit a fix please" principle because they do not have any resources and don't have paid-for maintenance. When someone logs (many) problems, then that is very nice. But not adding to solving the problems is a real challenge.

    It is "easy" to run analysis on code. But fixing the problems uncovered is often much harder because, most of the time, you need to understand the broader logic of the code before you can fix a problem or risk introducing other flaws. The resources required to find flaws is lower than those required to fix any found flaws.

    As with most open projects, please get involved. It is appreciated when you report bugs. It is even more appreciated when you submit a fix for the bug.

    1. wolfetone Silver badge

      I think too that if you're a company making a profit on the back of using these open projects, put your money in your pocket and provide support to these projects.

      1. Lee D Silver badge

        *cough* SMOOTHWALL *cough*.

      2. wolfetone Silver badge

        Can't edit it, but obviously I meant "put your hands in your pocket", not "money in your pocket". Because thats what these bastards are doing anyway.

        1. Anonymous Coward
          Anonymous Coward

          That may be what you meant, but what you accidentally said is more realistic.

    2. Blazde Silver badge

      "The resources required to find flaws is lower than those required to fix any found flaws."

      I really think you're underestimating the effort that goes into vulnerability hunting. It's true you *can* stumble across an issue, or run an automated tool that spits out reams of false positives or garbage inputs that trigger crashes for unknown reasons, and you can submit low-quality bug reports based on that. That's clearly not what Joshua has done here or what most security researchers do. The reports are high quality, they explain the logic and broad conditionality leading to the issue and identify the code that's broken. The research is impressively exhaustive. I don't know Squid (or care much about it to be honest) but most of the issues look like their security consequences could at least be mitigated with very small patches, even if a 'proper' fix would require wider new features to handle the failure cases in ideal ways. Of course it's a daunting task to write even 55 small patches for an old code base, but that's a reflection of the effort that went into finding the issues. It's not because Joshua was too lazy to do the hard bit and solve them. Finding them *is* a big step toward solving them.

      Sometimes vulnerability reports are met with outright hostility, which is depressing, but sometimes the response is reminiscent of your comment. There's this kind of polite 'we want to be seen to say we appreciate your bug report but secretly we'd rather you left alone' which is ultimately still a veiled appeal to security through obscurity.

      1. ryokeken



  2. James R Grinter

    In this HTTPS-first world…

    What value is anyone still getting out of Squid?

    We found it very useful 25+ (time flies…) years ago, but the internet is different now. If I were forward proxying, well, I would be surprised if there were any gains these days from caching. If I were reverse proxying then there are better, more modern technologies.

    1. katrinab Silver badge

      Re: In this HTTPS-first world…

      Indeed. I use HAProxy for my main reverse proxy, and also nginx for exposing back-end apis.

    2. Anonymous Coward
      Anonymous Coward

      Re: In this HTTPS-first world…

      Caching is certainly less useful now, though can still be done in environments where HTTPS MITM is viable (which actually is the case in quite a few places where squid might be used, and squid does support it).

      Squid is also useful for access control and logging (which can include at least hostnames for HTTPS connections even without MITM).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like