Hi
Recently all squid versions were marked as vulnerable up to version 6.3. I have upgraded to 6.5 but it still reports the vulnerability.
one example of a vulnerability covered was patched in version 6.4 like SQUID-2023:3 Denial of Service in HTTP Digest Authentication · Advisory · squid-cache/squid · GitHub
How can i report the NVT to be updated?
Regards
Alex
Please update your feed and do the re-scan, the Squid 0-day vulnerabilities published at Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days | Squid-Security-Audit are a moving target and relevant VTs are getting updated along newly published information.
But in general it is expected that the following VT:
Name: Squid Multiple 0-Day Vulnerabilities (Oct 2023)
OID: 1.3.6.1.4.1.25623.1.0.100439
is still reporting vulnerabilities even on a current / the most recent version 6.5 of Squid and there is no need for any update to the VT because many of these vulnerabilities (currently: 32) are not fixed yet by the Squid team / project.
but the problem is that in the higher versions these security vulnerabilities are addressed as per Security Overview · squid-cache/squid · GitHub and if all versions of squid are marked as vulnerable how can i prove to an auditor that the vulnerability is patched if my scanner still show it.
I do understand that is very difficult to keep track of all of these but i think that versions should be tagged individually rather than as a blanket
This is not correct:
Only a few of these security vulnerabilities are addressed, not all of them and thus the report is valid and there is no fix available for the other remaining 32 ones (e.g. the mentioned SQUID-2023:3 released recently fixed only a single out of the initial 35 open / reported vulnerabilities).
In short:
hi. Just got an answer from the squid developers and the official list for squid vulnerabilities is at Security Advisories · squid-cache/squid · GitHub
also there is an unofficial tracker for squid version 6.10 Unofficial status of "Joshua 55" vulnerabilities in Squid · GitHub
judging by the vulnerabilities close i consider that the Greenbone alert can be at least reduces in score if not removed completely.
There haven’t been changed much since back then:
As seen on Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days | Squid-Security-Audit there is still quite a huge amount (24 in total) of unfixed vulnerabilities / existing vulnerabilities not fixed in a final release in Squid (namely all which are listed on that page without a CVE assigned / listed on that overview). Those should also (mostly) match the ones which are only listed as having only mitigations available on Unofficial status of "Joshua 55" vulnerabilities in Squid · GitHub
As of today the reporting of the VT in question is still correct and there is no need for any updates / score updates so far.
If you disagree with the current assessment / scoring you can create an override on your own risk accordingly.
Note: Once there are new advisories from Squid project side available for sure the VT will be updated to remove that now fixed vulnerability/vulnerabilities from the description of the VT in question. Such fixed flaws will then be handled in a dedicated VT like happened in the past (see e.g. all more recent VTs having a reference to https://megamansec.github.io/Squid-Security-Audit/).
The situation is also constantly monitored from our side and newly published updates are getting reported to the original security researcher like done here for example: