Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,579
- Points
- 113
The open source software model has its drawbacks in the form of late elimination of shortcomings.
More than two years have passed since the discovery of 35 vulnerabilities in the Squid caching proxy, and they are still not fixed, warns the security expert who first reported these problems.
Squid is a web proxy widely used by Internet service providers and website owners. In February 2021, security specialist Joshua Rogers analyzed Squid and identified 55 vulnerabilities in the project's code.
So far, only 20 of them have been eliminated. Most of the vulnerabilities have not received CVE designations, which means that there are no official fixes or recommendations for their elimination. Rogers, in a letter to the Openwall security community, said that after a long wait, he decided to release this information.
Rogers detailed the vulnerabilities on his website, highlighting a variety of issues – Use-After-Free, memory leak, cache poisoning, assertion failure, and other flaws in various components. At the same time, the specialist expressed understanding to the Squid team, noting that many open-source project developers work on a volunteer basis and are not always able to respond quickly to such problems.
The incident raises the question of who should be responsible for maintaining open source software. Given that there are more than 2.5 million Squid-based servers on the Internet, Rogers recommends that anyone who uses this product carefully study information about vulnerabilities and, if necessary, reconsider their choice in favor of other solutions.
More than two years have passed since the discovery of 35 vulnerabilities in the Squid caching proxy, and they are still not fixed, warns the security expert who first reported these problems.
Squid is a web proxy widely used by Internet service providers and website owners. In February 2021, security specialist Joshua Rogers analyzed Squid and identified 55 vulnerabilities in the project's code.
So far, only 20 of them have been eliminated. Most of the vulnerabilities have not received CVE designations, which means that there are no official fixes or recommendations for their elimination. Rogers, in a letter to the Openwall security community, said that after a long wait, he decided to release this information.
Rogers detailed the vulnerabilities on his website, highlighting a variety of issues – Use-After-Free, memory leak, cache poisoning, assertion failure, and other flaws in various components. At the same time, the specialist expressed understanding to the Squid team, noting that many open-source project developers work on a volunteer basis and are not always able to respond quickly to such problems.
The incident raises the question of who should be responsible for maintaining open source software. Given that there are more than 2.5 million Squid-based servers on the Internet, Rogers recommends that anyone who uses this product carefully study information about vulnerabilities and, if necessary, reconsider their choice in favor of other solutions.
