[squid-announce] Squid 4.15 is available

[squid3 at treenet.co.nz]

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.15 release!


This release is a security release resolving several issues found in
the prior Squid releases.


The major changes to be aware of since 4.13:

  * SQUID-2020:11 HTTP Request Smuggling
    (CVE-2020-25097)

This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid
security controls.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6>


  * SQUID-2021:1 Denial of Service in URN processing
    (CVE-2021-28651)

This problem allows a malicious server in collaboration with a
trusted client to consume arbitrarily large amounts of memory
on the server running Squid.

Lack of available memory resources impacts all services on the
machine running Squid. Once initiated the DoS situation will
persist until Squid is shutdown.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4>


  * SQUID-2021:2 Denial of Service in HTTP Response Processing
    (CVE-2021-28662)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without any
malicious intent by the server.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h>


  * SQUID-2021:3 Denial of Service issue in Cache Manager
    (CVE-2021-28652)

This problem allows a trusted client to trigger memory leaks
which over time lead to a Denial of Service against Squid and
the machine it is operating on.

This attack is limited to clients with Cache Manager API access
privilege.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447>


  * SQUID-2021:4 Multiple issues in HTTP Range header
    (CVE-2021-31806, CVE-2021-31807, CVE-2021-31808)

These problems all allow a trusted client to perform Denial of
Service when making HTTP Range requests.

The CVE-2021-31808 problem allows a remote server to perform
Denial of Service when delivering responses to HTTP Range
requests. The issue trigger is a header which can be expected
to exist in HTTP traffic without any malicious intent.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf>


  * SQUID-2021:5 Denial of Service in HTTP Response Processing
    (CVE pending allocation)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without
any malicious intent by the server.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f>


   All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

   http://www.squid-cache.org/Versions/v4/
   ftp://ftp.squid-cache.org/pub/squid/
   ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

   http://www.squid-cache.org/Download/http-mirrors.html
   http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
   http://bugs.squid-cache.org/


Amos Jeffries