[squid-announce] Squid 3.5.17 is available

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 21 11:28:47 UTC 2016


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.17 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:5 - Buffer overflow in cachemgr.cgi

    http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
    aka. CVE-2016-4051

Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.


* SQUID-2016:6 - Multiple issues in ESI processing.

    http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
    aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.

At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.

Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
at risk. Check the advisory for more specific details on determining
whether your Squid is vulnerable.


* Bug #4481: varyEvaluateMatch: Oops. Not a Vary match on second attempt

This bug was a regression introdued by the CVE-2016-3948 patch. Any
Squid patched for that issue should have this bug patched as well.


* Bug 4465: Header forgery detection leads to crash

This very annoying bug has finally been tracked down and solved.


* Add chained and signing cert to peek-then-bumped connections.

Until now Squid with this particular configuration case was only
delivering one of the certificates in the chain. Which can cause
problems when the clients are configured with a CA higher up the chain
than the one Squid is using to sign generated domain certs.

>From this release onwards Squid will deliver the whole certificate chain
and let the client determine whether it wil be trusted or not.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries


More information about the squid-announce mailing list