[squid-announce] Squid-4.4 is available

Amos Jeffries squid3 at treenet.co.nz
Sun Oct 28 16:09:02 UTC 2018 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.4 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* SQUID-1018:4
  Cross-Site Scripting issue in TLS error processing

 http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

This problem allows a malicious HTTPS server to trigger error
page delivery to a client and also inject arbitrary HTML code
into the resulting error response.

This problem is limited to Squid built with TLS / SSL support.


* SQUID-2018:5
  Denial of Service issue in SNMP processing.

 http://www.squid-cache.org/Advisories/SQUID-2018_5.txt

This problem allows a remote attacker to consume all memory
available to the Squid process, causing it to crash.

In environments where per-process memory restrictions are not
enforced strictly, or configured to large values this may also
affect other processes operating on the same machine. Leading to
a much worse denial of service situation.

This problem is limited to Squid built with SNMP support and
receiving SNMP traffic.


* Bug 4893: Malformed %>ru URIs for CONNECT requests

This bug showed up as "://host:port" URLs being logged for some CONNECT
transactions in Squid-4.2 and 4.3. This release reverts Squid to the
previous log output.


* Fix %USER_CA_CERT_xx and %USER_CERT_xx

Previous Squid-4 would crash when these macros where used to pass values
to external ACL helpers. This issue is now fully resolved.


* Support compilation with minimal OpenSSL

Squid would not build successfully against an OpenSSL library
which had itself been built to omit deprecated features and API.
This Squid release should build in these minimized environments.



  All users of Squid-4 are urged to upgrade as soon as possible.

  All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list