Re: Squid security holes - current status? from Henrik Nordstrom on 1998-11-30 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 30 Nov 1998 23:55:20 +0100

Jason Haar wrote:

> What is the current status of security in Squid? Obvious that's
> a bit of a stupid question (i.e. answer:"it's secure until someone
> finds a hole in it")

Not a stupid question at all..

My current standpoint is (not neccesary the same as the NLANR
people):

Squid is not currently rated as secure. There may well be a
number of unknown buffer overflows or other bugs that may
seriously impact security if used in a sensitive environment
(like a firewall).

To my knowledge there has not been any serious security
auditing of the code. The developers do try to avoid
constructs that are known to be unsafe, but it is hard to
guarantee anything with these amounts of code and
dependencies on more or less secure OS libraries.

What I can promise is that we will fix any security problems
found as quickly as possible. Anyone willing to audit the
code is also more than welcome to do so.

Please send security comments/fixes to squid-bugs@ircache.net.
Squid-bugs it is a somewhat closed list allowing us to fix
the bug before every bad guy knows about it.

> but I think if it's run on a firewall where only your local
> users can access it (enforced by Squid ACLs AND by router/host
> ACLs), then it should be pretty hard to crack.

I would not trust using solely Squid ACLs to protect a
sensitive firewall. Always have a outer firewall (from
Squids standpoint of view, i.e. packet filter at the host
or closest router) that filters who may access the proxy.

> I'm intending to run it in our new firewall environment
> chroot'ed and non-root and I'm "sure" it'll be fine :-)

Make sure you patch your system to not allow execution of
stack data as well. This is available for many OS:es today.
(tunable option on Solaris 2.6, kernel patch for Linux 2.0.X...)

> Buffer overflows were a problem back in some 1.x release - but
> they were fixed way back - could there be more?

It is very hard to tell when the last buffer overflow is found
in a C program. I personally can't guarantee (and would not bet
on it either) that there currently is no buffer overflows or
similar errors in Squid.

---
Henrik Nordstrom
Spare time Squid hacker

Received on Mon Nov 30 1998 - 15:55:11 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:25 MST