[squid-announce] Squid 4.11 is available

Thu Apr 23 09:02:59 UTC 2020

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.11 release!

This release is a security release resolving several issues found in
the prior Squid releases.

The major changes to be aware of:

 * SQUID-2019:12 Multiple issues in ESI Response processing
   (CVE-2019-12519, CVE-2019-12521)

These problems allow a remote server delivering certain ESI
response syntax to trigger a buffer overflow.

On systems with heap overflow protection overflow will shutdown
the proxy causing a denial of service for all clients accessing
the Squid service.

On systems with ESI buffer pooling (the default) overflow will
truncate portions of generated payloads. Poisoning the HTTP
response cache with corrupted objects.

The CVE-2019-12519 issue also overwrites arbitrary attacker
controlled information onto the process stack. Allowing remote
code execution with certain crafted ESI payloads.

These problems are restricted to ESI responses received from an
upstream server. Attackers have to compromise the server or
transmission channel to utilize these vulnerabilities.

See the advisory for updated patches:
 <http://www.squid-cache.org/Advisories/SQUID-2019_12.txt>

 * SQUID-2020:4 Multiple issues in HTTP Digest authentication.
   (CVE-2020-11945)

Due to an integer overflow bug Squid is vulnerable to credential
replay and remote code execution attacks against HTTP Digest
Authentication tokens.

When memory pooling is used this problem allows a remote client
to replay a sniffed Digest Authentication nonce to gain access
to resources that are otherwise forbidden.

When memory pooling is disabled this problem allows a remote
client to perform remote code execution through the free'd nonce
credentials.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2020_4.txt>

* SQUID-2019:11 (CVE-2019-18679) complete fix

The initial patch for this vulnerability significantly hardened
against attacks. However it was still possible for an attacker
to gain information over time about a Squid instance.

This release completely removes that possibility.

 * Bug 5036: capital 'L's in logs when daemon queue overflows

This shows up on proxies which are too busy for the daemon I/O
or trying to output very long access.log lines.

This but is just an annoyance, all other operations of the proxy
remain unaffected but the extra characters can interferes with
data processing of the logs.

 * Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations

This bug shows up on caching proxies with multiple SMP workers. The
visible symptoms are;
 - SNMP begins producing errors or NULL values instead of data,
 - cache manager reports indicate no traffic, or zero values
 - possibly reduced cache HIT rate

 * Bug 5016: systemd thinks Squid is ready before Squid listens

systemd has been found to still have problems with the recent
--foreground behaviour updates. This release adds support for the
sd_notify systemd feature to workaround that problem.

Please note this automatically adds libsystemd dependency when that
library is available on the build machine. To prevent this dependency
and retain the existing behavuiour the --without-systemd build option
is provided.

  All users of Squid are urged to upgrade as soon as possible.

See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/

Amos Jeffries