From squid3 at treenet.co.nz Wed Jul 4 05:02:50 2018 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Wed, 4 Jul 2018 17:02:50 +1200 Subject: [squid-announce] Squid 4.1 is available Message-ID: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.1 release! This release is we believe, stable enough for general production use. Support for Squid-3.x bug fixes has now officially ceased. Bugs in 3.5 will continue to be fixed, however the fixes will be added to the 4.x series. All users of Squid-3.x are encouraged to plan for upgrades. A short list of the major new features is: * RFC 6176 compliance (SSLv2 support removal) * Secure ICAP service connections * Add url_lfs_rewrite: a URL-rewriter based on local file existence * on_unsupported_protocol directive to allow Non-HTTP bypass * Update external_acl_type directive to use logformat codes * Experimental GnuTLS support for some TLS features * TLS/SSL related helpers renamed Several features have been removed in 4.1: * refresh_pattern ignore-auth and ignore-must-revalidate options * cache_peer_domain directive * basic_msnt_multi_domain_auth helper * ESI custom parser - use XML2 or Expat instead. Further details can be found in the release notes or the wiki. http://www.squid-cache.org/Versions/v4/RELEASENOTES.html http://wiki.squid-cache.org/Squid-4 Please remember to run "squid -k parse" when testing upgrade to a new version of Squid. It will audit your configuration files and report any identifiable issues the new release will have in your installation before you "press go". Please be particularly aware that for the TLS features the removal of SSLv2 support may require manual attention to configuration settings when upgrading from any Squid-3 or older version. All feature additions are considered *experimental* until they have survived at least one series of releases in general production use. Please be aware of that when rolling out features which are new in this series. Not all use-cases have been well tested yet and some may not even have been implemented. Assistance is still needed despite the releases general stability level. Plans for the next series of releases is already well underway. Our future release plans and upcoming features can be found at: http://wiki.squid-cache.org/RoadMap See the ChangeLog for the full list of changes in this and earlier releases. All users of Squid-4.0 beta releases are urged to upgrade to this release as soon as possible. All users of Squid-3 are encouraged to upgrades where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries From squid3 at treenet.co.nz Tue Jul 31 06:08:36 2018 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Tue, 31 Jul 2018 18:08:36 +1200 Subject: [squid-announce] Squid 3.5.28 is available Message-ID: <9613c3c7-4014-8b99-ec2a-2c71de224414@treenet.co.nz> The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.28 release! This release is a security fix release resolving several major issues found in the prior Squid releases. REMINDER: This and older releases are already deprecated by Squid-4.1 availability. The major changes to be aware of: * SQUID-2018:1 / CVE-2018-1000024 Crash processing SSL-Bumped traffic containing ESI http://www.squid-cache.org/Advisories/SQUID-2018_1.txt This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service. Squid-3.5 is also vulnerable to some regular ESI server responses also triggering this issue. This problem is limited to the Squid custom ESI parser. Squid built to use libxml2 or libexpat XML parsers do not have this problem. * SQUID-2018:2 / CVE-2018-1000027 Crash handling responses to internally generated requests http://www.squid-cache.org/Advisories/SQUID-2018_2.txt Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses or downloading intermediate CA certificates. This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service. * SQUID-2018:3 / CVE-2018-1172 Crash in ESI Response processing http://www.squid-cache.org/Advisories/SQUID-2018_3.txt This problem allows a remote server delivering ESI responses to trigger a denial of service for all clients accessing the Squid service. This problem is limited to Squid operating as reverse proxy. * Bug 4829: IPC shared memory leaks when disker queue overflows This bug occurs when Squid is configured with rock only storage. After a long period of high load or a shorter period of extremely high load, disk IO drops entirely. Even after giving Squid time to recover and then resuming a low load the diskers were just not doing anything. A lot of "run out of shared memory pages for IPC I/O" errors may be seen during the high load, which continues to remain on smaller loads after the recovery time. * Bug 4767: SMP breaks IPv6 SNMP and cache manager queries This problem appears as a crash when Squid is operating with multiple workers and receiving IPv6 SNMP queries. * Bug 2821: Ignore Content-Range in non-206 responses Squid used to honor Content-Range header in HTTP 200 OK (and possibly other non-206) responses, truncating (and possibly enlarging) some response bodies. RFC 7233 declares Content-Range meaningless for standard HTTP status codes other than 206 and 416. Squid now relays meaningless Content-Range as is, without using its value. * SSL-Bump: fix authentication with schemes other than Basic Squid-3.4.5 included a fix for handling Basic authentication of a CONNECT tunnel which is being bump'ed. Requests within it were intended to inherit the credentials of the tunnel. Allowing Squid ACLs to use authentication tests on the bumped traffic. This release finally extends that fix to make bumped traffic inherit the authentication credentials from the CONNECT tunnel regardless of authentication type. * TPROXY: Fix clientside_mark and client port logging The clientside_mark ACL was not working with TPROXY because a conntrack query could not find connmark without a true client port. This also affected helpers and ACLs using client dst-port number prior to logging when traffic was received with TPROXY. * Fix "Cannot assign requested address" for to-origin TPROXY FTP data This release adds the capability for TPROXY to be used on Native FTP traffic (received at ftp_port). Prior releases would present the above error when establishing FTP data connection and abort the transaction. All users of Squid-3 with SSL-Bump functionality are encouraged to upgrade to this release as soon as possible. All other users of Squid-3 are encouraged to upgrade to this release as time permits. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries