[squid-announce] Squid 5.0.3 beta is available

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 19 12:16:53 UTC 2020


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.3 beta release!


This release is a security and feature update release resolving
several issues found in the prior Squid releases.


The major changes to be aware of:

 * SQUID-2020:5 Denial of Service when using SMP cache
   (CVE-2020-14059)

This problem may allow a remote client to trigger a Squid worker
assertion.

This attack is limited to SMP Squids using shared memory cache
and/or an SMP rock disk cache.


See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_5.txt>


 * SQUID-2020:6 Denial of Service issue in TLS handshake
   (CVE-2020-14058)

This problem allows a trusted client to perform Denial of Service
when opening TLS connections with a server for HTTPS.

This problem allows a trusted client to perform Denial of Service
when opening TLS connections to a server for SSL-Bump intercepted
transactions.

This attack is limited to Squid built with OpenSSL features and
opening peer or server connections for HTTPS traffic and SSL-Bump
server handshakes.

See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt>


 * Happy Eyeballs: Do not discard viable reforwarding destinations

When Happ Eyeballs starts opening two connections, both destinations
are removed from the destinations list. As soon as one connection
(X) succeeded, the other destination (Y) was essentially forgotten. If
Squid, after using X, decided to reforward the request, then the request
was never reforwarded to Y. We now return Y to the list of possible
destinations.



  All users of Squid-5 are urged to upgrade as soon as possible.

  All users of Squid-4 and older are encouraged to plan for upgrade.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v5/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries


More information about the squid-announce mailing list