DescriptionAn issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster4.6-1+deb10u7vulnerable
buster (security)4.6-1+deb10u10vulnerable
bullseye (security), bullseye4.13-10+deb11u2vulnerable
squid3 (PTS)jessie, jessie (lts)3.5.23-5+deb8u7vulnerable
stretch (security)3.5.23-5+deb9u7vulnerable
stretch (lts), stretch3.5.23-5+deb9u10vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Only causes problems if some other vulnerability is used to compromise the proxy.
There is no upstream plan to fix the issue. The issue here is that some child
processes run as low-privilege but stay in a state where they can resume root
privileges. That is needed for reconfigure still. Architectural changes are needed
to resolve it without breaking some installations.

Search for package or bug name: Reporting problems