Search squid archive

Re: Upgradation of squid version 3.5.27 on ubuntu 18.04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 30/09/21 1:26 am, sheik abdul wrote:

Hellow TEam,

Hope you're doing well!
I have installed Ubuntu 18.04 (Bionic) with the squid version of 3.5.27 (maybe that's that latest version) . 

That is the squid version shipped by Ubuntu 18.04 LTS.
I'm always getting in the Vulnerability list and stats that need to upgrade to the latest version of squid so that I can avoid those vuln. 

An upgrade of Squid is not going to help avoid the "issue" you list below.

For two reasons:
1) It is a side effect of the build environment used to build Squid, not the Squid code itself.
2) The Squid security team rejected the CVE you reference. On grounds that behaviour is intentional - the Squid main/'master' process never actually finishes with root privileges. It needs to be able to start and assign some child processes high privileges from time to time. 




Please find the below vuln. details for you ref.
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt <https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt>
Before worrying, please notice that document states the behaviour does not occur in the HAVE_SETRESUID or HAVE_SETEUID code.
The OS function setresuid() has been provided by Linux since 2.1 and glibc since 2.3.2. Both predate Ubuntu 18.* by many years. So I am doubtful your Squid is actually relevant to that documented behaviour. If that HAVE_SETRESUID code is not being built, that is an issue the vendor building your Squid package (Ubuntu) needs to fix.
And I just want to know whether is possible to update the squid version in ubuntu 18 because it's already been in the latest version but I'm not sure why it's asking us to update the latest version(from 4.1 to 5 onwards ).
What is asking you to upgrade? Squid does not ask such things. AFAIK, Ubuntu package managers will only mention upgrades if the repositories you are using actually have a newer version available - at which point a regular "apt upgrade" command should do it for you. 


Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux