[squid-announce] Squid 3.5.4 is available

Amos Jeffries squid3 at treenet.co.nz
Fri May 1 15:35:56 UTC 2015 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.4 release!


This release is a security and bug fix release resolving several
critical issues found in the prior Squid releases.


The major changes to be aware of:


* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation

  http://www.squid-cache.org/Advisories/SQUID-2015_1.txt

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" or "bump" modes of operation.

Sites that do not use SSL-Bump are not vulnerable.

A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.


* Add server_name ACL matching server name(s) obtained from various sources

This ACL type allows SSL-Bumped traffic to match on the best available
server name information. Taking its value from CONNECT URI, TLS SNI, or
Server X509 cetificate depending on which the current stage of TLS
processing makes available.

It is designed for use primarily for deciding ssl_bump logic based on
server domain name. Unlike dstdomain it does not perform rDNS lookup
when presented with a raw-IP address.


* Support for resuming TLS sessions

TLS and SSL contain a session resume feature which does not supply X509
certificates for Squid to mimic during the decryption. Previously Squid
has had to abort these connections, causing various client errors.

This release brings support for automatic splicing of resumed TLS
sessions. Bumping is not possible due to lack of certificate
information, and the old behaviour of responding with an error is
causing too many complaints.


* Basic support for ALPN and NPN TLS extensions

These TLS extensions are required to correctly splice or bump port 443
traffic now the port is being heavily overloaded for use by non-HTTPS
protocols wrapped in TLS.

When bumping Squid negotiates for HTTP/1.1 over TLS (HTTPS) to be the
protocol used by both server and client so that Squid can process it.


* Multiple SSL-Bump related crashes

Several different causes of assertion failure when performing SSL-Bump
have been fixed.


* Add Kerberos support for MAC OS X 10.x

Support for Apple custom Kerberos implementation is added in this release.



 All users of Squid-3.5 with SSL-Bump features are urged to upgrade to
this release as soon as possible.

 All users of Squid are encouraged to upgrade to this release as time
permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list