Your submission was sent successfully! Close


Published: 15 April 2020

An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.



CVSS 3 base score: 4.5


Package Release Status
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Ignored
(reached end-of-life)
focal Deferred

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Deferred

jammy Deferred

precise Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

Launchpad, Ubuntu, Debian
bionic Deferred

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Ignored
(end of ESM support, was deferred)
trusty Does not exist

upstream Needed

xenial Deferred