On 2/03/22 05:35, Adam Majer wrote:
Hi all,
There apparently was a CVE assigned some time ago but I cannot seem to
find it being addressed.
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt
The crux of the problem is that privileges are not dropped and could be
re-acquired. There is even a warning against running squid as root but
if root is one function call away, it seems it's the same.
Any thoughts on this?
To quote myself:
"
We do not have an ETA on this issue. Risk is relatively low and several
features of Squid require the capability this allows in order to
reconfigure. So we will not be implementing the quick fix of fully
dropping root.
"
If anyone wants to work on it you can seek out any/all calls to
enter_suid and see if they can be removed yet. Some may be able to go
immediately, and some may need replacing with modern libcap capabilities.
HTH
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
