[squid-announce] Squid 3.5.14 is available
Amos Jeffries
squid3 at treenet.co.nz
Tue Feb 16 06:18:04 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.14 release!
This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:1 - Remote Denial of Service in SSL/TLS handling
http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
This shows up as Squid crashing after a failed TLS server connection.
Since Squid built with TLS/SSL support perform outbound TLS server
connections independent of inbound client request type it can be
triggered by a plain-text HTTP message.
Affected Squid versions are:
3.5.13, 4.0.4, 4.0.5 built using --with-openssl
See the advisory for further details. Upgrade to this beta is highly
recommended, even for older unaffected releases.
* Bug #4431: C code is not compiled with CFLAGS
This bug in the build toolchain has existied since at lease 3.2 and
meant the few C objects still being built as part of Squid and helpers
were not being built using the proper CFLAGS values.
Builds for unusual environments or with customised CFLAGS values will
need to take some extra care and testing with this release to ensure the
desired compiler actions are occuring.
* Fix %un logging external ACL username
This issue affects both logging and the key_extras feature of 3.5 which
both rely on logformat codes. It shows up in two ways;
- For Squid relying exclusively on external ACL helper side-band
authentication the username would not be logged at all.
- For Squid relying on multiple sources of authentication the username
for another source could wrongly be displayed instead of the external
ACL provided value.
* Fix invalid FTP connection handling on blocked content
This issue shows up as 'hanging' FTP transactions when an ICAP service
has explicitly requested that they be blocked / rejected / denied.
All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list