Hi
Recently all squid versions were marked as vulnerable up to version 6.3. I have upgraded to 6.5 but it still reports the vulnerability.
one example of a vulnerability covered was patched in version 6.4 like SQUID-2023:3 Denial of Service in HTTP Digest Authentication · Advisory · squid-cache/squid · GitHub
How can i report the NVT to be updated?
Regards
Alex
Please update your feed and do the re-scan, the Squid 0-day vulnerabilities published at Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days | Squid-Security-Audit are a moving target and relevant VTs are getting updated along newly published information.
But in general it is expected that the following VT:
Name: Squid Multiple 0-Day Vulnerabilities (Oct 2023)
OID: 1.3.6.1.4.1.25623.1.0.100439
is still reporting vulnerabilities even on a current / the most recent version 6.5 of Squid and there is no need for any update to the VT because many of these vulnerabilities (currently: 32) are not fixed yet by the Squid team / project.
but the problem is that in the higher versions these security vulnerabilities are addressed as per Security Overview · squid-cache/squid · GitHub and if all versions of squid are marked as vulnerable how can i prove to an auditor that the vulnerability is patched if my scanner still show it.
I do understand that is very difficult to keep track of all of these but i think that versions should be tagged individually rather than as a blanket
This is not correct:
Only a few of these security vulnerabilities are addressed, not all of them and thus the report is valid and there is no fix available for the other remaining 32 ones (e.g. the mentioned SQUID-2023:3 released recently fixed only a single out of the initial 35 open / reported vulnerabilities).
In short: