DescriptionAn issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster, buster (security)4.6-1+deb10u3vulnerable
bullseye, sid4.12-1vulnerable
squid3 (PTS)stretch3.5.23-5+deb9u1vulnerable
stretch (security)3.5.23-5+deb9u2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Only causes problems if some other vulnerability is used to compromise the proxy.
There is no upstream plan to fix the issue. The issue here is that some child
processes run as low-privilege but stay in a state where they can resume root
privileges. That is needed for reconfigure still. Architectural changes are needed
to resolve it without breaking some installations.

Search for package or bug name: Reporting problems