[squid-announce] Squid 4.0.6 beta is available
squid3 at treenet.co.nz
Tue Feb 16 06:18:54 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.6 release!
This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.
NP: this release announcement also covers 4.0.5 change details.
The major changes to be aware of:
* SQUID-2016:1 - Remote Denial of Service in SSL/TLS handling
This shows up as Squid crashing after a failed TLS server connection.
Since Squid built with TLS/SSL support perform outbound TLS server
connections independent of inbound client request type it can be
triggered by a plain-text HTTP message.
Affected Squid versions are:
3.5.13, 4.0.4, 4.0.5 built using --with-openssl
See the advisory for further details. Upgrade to this beta is highly
recommended, even for older unaffected Squid-4 releases.
* Several regression bugs fixed
- Bug 4436: Fix DEFAULT_SSL_CRTD
- Bug 4429: http(s)_port options= error message missing characters
- Bug 4410: compile error in basic_ncsa_auth after 4.0.4
- Bug 4403: helper compile errors after 4.0.4
- Bug 4401: compile error on Solaris
- Fix: TLS/SSL flags parsing
- Fix: cert validator always disabled in 4.0.x
- Fix: Name-only note ACL stopped matching after 4.0.4 (note -m)
- Fix: external_acl problems after 4.0.1
* SSL related helpers changed
This release adds two new ./configure options
These build options operate the same as external ACL and authentication
helper build options. But control whether the SSL certificate validator
and SSL-Bump certificate generator helper(s) are built.
As part of this change;
- the ssl_crtd helper is renamed to security_file_certgen
(built with --enable-security-generators=file), and
- the cert_valid.pl helper is renamed to security_fake_certverify
(built with --enable-security-validators=fake).
* Add connections_encrypted ACL
This new ACL only matches true when all the external connections
involved with a transaction (so far) have been secured. It can be used
to prohibit sending traffic received over a secure connection to
insecure services such as URL-rewriters, ICAP, eCAP, cache_peer, or to
set tcp_outgoing_* details differently for secure/insecure transactions.
* Fix SSL-Bump step 3 splice action
This bug shows up as Squid HTTPS transactions hanging while contacting
an upstream TLS server. It occurs when splice action is selected for use
at stage 3 of SSL-Bumping.
All users of Squid-4.0.x are urged to upgrade to this release as soon
All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.
See the ChangeLog for the full list of changes in this and earlier
Please refer to the release notes at
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
or the mirrors. For a list of mirror sites see
If you encounter any issues with this release please file a bug report.
More information about the squid-announce