I'm still trying to understand why it's described as "exploitable" ??? It's like saying: The Linux Kernel should not be a kernel and init(or equivalent) should not run with uid 0 or 1. Why nobody complains about cockpit being a root process??
Thanks, Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com -----Original Message----- From: squid-dev <squid-dev-boun...@lists.squid-cache.org> On Behalf Of Amos Jeffries Sent: Thursday, March 3, 2022 09:17 To: squid-dev@lists.squid-cache.org Subject: Re: [squid-dev] CVE-2019-12522 On 2/03/22 05:35, Adam Majer wrote: > Hi all, > > There apparently was a CVE assigned some time ago but I cannot seem to > find it being addressed. > > https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-125 22.txt > > > The crux of the problem is that privileges are not dropped and could be > re-acquired. There is even a warning against running squid as root but > if root is one function call away, it seems it's the same. > > Any thoughts on this? > To quote myself: " We do not have an ETA on this issue. Risk is relatively low and several features of Squid require the capability this allows in order to reconfigure. So we will not be implementing the quick fix of fully dropping root. " If anyone wants to work on it you can seek out any/all calls to enter_suid and see if they can be removed yet. Some may be able to go immediately, and some may need replacing with modern libcap capabilities. HTH Amos _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev