[squid-announce] Squid 3.5.6 is available

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 9 03:40:56 UTC 2015 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.6 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2015:2 Improper Protection of Alternate Path

  http://www.squid-cache.org/Advisories/SQUID-2015_2.txt

Squid when passing a CONNECT request to a cache_peer blindly passes the
response back to the client. This can result in further requests on the
connection bypassing all access controls or routing configuration in the
gateway proxy that would otherwise have been applied.

The default settings of Squid protect most sites against this. However
certain known network topologies require the configuration which is
vulnerable.


* Regression Bug 4193: Memory leak on FTP listings

Recent releases have been leaking a small amount of memory on every
successful FTP directory listing. That has now been resolved.


* Bug 3329: The server side pinned connection is not closed properly

Squid internal state for remotely closed server connections was not
updated correctly. Which may result in pinned client connections hanging
until a timout, then abort being applied unexpectedly to an unrelated
connection.


* Bug 3875: bad mimeLoadIconFile error handling

This bug represented a small collection of errors possible when loading
icon files during startup. They may have resulted in various secondary
errors later as the icons were used. Squid will now log such failures on
startup and respond to requests with 204 (No Content) when the icon is
requested.


* Bug 4183: segfault when freeing https_port clientca on reconfigure or
exit.

This bug would appear on reconfigure when squid.conf contained the
http(s)_port clientca= parameter.


* Bug 3483: assertion failed store.cc:1866: 'isEmpty()'

This bug appeared randomly after Squid crashed, was shutdown with short
timeouts, or encountered various cache access issues (including bug 3875
above). While some of these causes still exist, this release treats the
resulting error properly as a SWAPFAIL and continues operation instead
of aborting with assertion.


* TLS: Disable client-initiated renegotiation

Current OpenSSL libraries protect against renegotiation already. Squid
does not renegotiate which avoids the specific CVE-2009-3555 issue. Use
of only the latest TLS protocol (as per Best Current Practice) also
protects against these effects.

However, Client-initiated TLS/SSL renegotiation could still result in
Denial of Service vulnerability for some libraries and configurations.
This further hardens against the SSL protocol flaw by rejecting client
attempts to renegotiate security protocol after initial TLS/SSL client
handshake has completed.

This change only has effect when Squid is built against libraries which
allow vulnerable forms of renegotiation. Or when Squid is configured to
allow SSLv3 downgrade renegotiation. Note that SSLv3 downgrade from TLS
is still permitted, but only before initial client handshake has completed.


* Fix CONNECT failover to IPv4 after trying broken IPv6 servers

This bug affects Squid attempting to open a TCP connection to a server
over broken IP connectivity. When the initial attempt times out Squid
would respond to the client with an error instead of attempting further IPs.

Note that only broken IP connectivity is required to trigger this bug.
That break may exist connecting to an IPv4 server or cache_peer. It is
currently more common in IPv6 connections due to explicit sysadmin
breakage "disabling" IPv6.


* Use relative-URL in errorpage.css for SN.png

The errorpage.css default file has previously been required due to
technical problems to use an absolute-URL to reference the default error
message Squid icon. With the current generation of browsers CSS3
behaviour and bug 4132 fixed in the prevous 3.5 release this requirement
is lifted.

As of the current release Squid default error page icon uses a
relative-URL relating to the stored icon file published and installed
with the Squid generating the error page (or any intervening Squid proxy
closer to the client). Resolving privacy information leak worries that
have been presented by some sysadmin.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list