Recently all squid versions were marked as vulnerable up to version 6.3. I have upgraded to 6.5 but it still reports the vulnerability.
one example of a vulnerability covered was patched in version 6.4 like SQUID-2023:3 Denial of Service in HTTP Digest Authentication · Advisory · squid-cache/squid · GitHub
How can i report the NVT to be updated?
Please update your feed and do the re-scan, the Squid 0-day vulnerabilities published at Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days | Squid-Security-Audit are a moving target and relevant VTs are getting updated along newly published information.
But in general it is expected that the following VT:
Name: Squid Multiple 0-Day Vulnerabilities (Oct 2023)
is still reporting vulnerabilities even on a current / the most recent version 6.5 of Squid and there is no need for any update to the VT because many of these vulnerabilities (currently: 32) are not fixed yet by the Squid team / project.
but the problem is that in the higher versions these security vulnerabilities are addressed as per Security Overview · squid-cache/squid · GitHub and if all versions of squid are marked as vulnerable how can i prove to an auditor that the vulnerability is patched if my scanner still show it.
I do understand that is very difficult to keep track of all of these but i think that versions should be tagged individually rather than as a blanket
This is not correct:
Only a few of these security vulnerabilities are addressed, not all of them and thus the report is valid and there is no fix available for the other remaining 32 ones (e.g. the mentioned
SQUID-2023:3 released recently fixed only a single out of the initial 35 open / reported vulnerabilities).
- Even the most recent version 6.5 of Squid is affected by the remaining 32 vulnerabilities
- There are no fix available for these yet
- Reporting all versions of Squid as vulnerable against the remaining 32 vulnerabilities is expected / correct for the reasons outlined previously
- It probably will take a few more months until the project / vendor will be able fix the remaining open 32 vulnerabilities