The used squid in eblocker is oudated. Please consider an urgend upgrade of the component.
There are several CVEs realated to the used version:
CVE-2020-11945, CVE-2019-12519, CVE-2019-12524, CVE-2019-12526, CVE-2020-11945, CVE-2019-12524 are the critical ones. I have also 10 high rated ones...
Eblocker should increase security and not compromise it
@paddyk these CVEs are fixed, you have to take the full version number into account, including the Debian patch level.
Currently, eBlockerOS is based on Debian Buster which will get security updates for two more years.
In eBlockerOS 2.9.1 the Squid version is 4.6.1+deb10u6 which is the current version in Buster:
https://packages.debian.org/buster/squid
The vulnerabilities you mentioned have been fixed by the Debian security team since version 4.6.1+deb10u2:
https://metadata.ftp-master.debian.org/changelogs//main/s/squid/squid_4.6-1+deb10u6_changelog
Thank you for the information. My company penentration test I did (for my personal eblocker) said it foud these vulnerabilities. I have to check that out again, but unfortunately my box is dead since last night. Raspberrys are not available so I wait for the virtual appliance.
Thanks very much for your contribution.
We try hard to keep all components up-to-date in a frequently manner (last with the 2.9 update). But of course we rely on the debian distri as @bpr pointed out - and do not apply patches besides the official releases.
Nevertheless we love any (bug) feedback and pen-tests so we can continuously improve.
As you seem to be a security specialist I'd like to invite you to join our team to help making eBlocker better... Just drop me a line via voluntary at eBlocker.org
Thanks very much for your support 👍
eBlockerOS version2.8.2
@paddyk We‘ve released eBlockerOS 2.9 (where all the security issues mentioned should have been fixed) about a month ago. I don‘t understand why you are using an old version for your „pen-test“. That‘s not helpful for anyone… - but rather a waste of time ☹️
Please make sure to test the latest version next time. Then we highly appreciate your feedback!
THX!
Sorry for the wrong Version number I gave. I had the latest Version on my box.
(I'm donor and had auto update enabeld).
As I said, I can't confirm anything, because my box broke... I'll test again when the VM-Edition is released and then contact the "Testing-Programm-Company" if it still shows the vulnerabilities.
@random I‘ve contacted the company of my Penetration Test as well and let you know of their findings.