No patches have been issued for 35 of 55 security vulnerabilities impacting the popular open-source caching and forwarding proxy Squid that were identified two years ago, according to SecurityWeek.
Attackers could leverage many of the flaws to trigger crashes, while some could prompt arbitrary code execution against more than 2.5 million internet-exposed Squid proxy instances, said security researcher Joshua Rogers, who discovered and reported the bugs. With the Squid Team's lack of resources hindering the release of security patches, organizations using the proxy have been urged by Rogers to examine their implementations.
"With any system or project, it is important to regularly review solutions used in your stack to determine whether they are still appropriate. If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system," said Rogers.