[squid-announce] Squid 5.0.6 beta is available

squid3 at treenet.co.nz squid3 at treenet.co.nz
Mon May 10 12:38:43 UTC 2021 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.6 beta release!


This release is a security release resolving several issues found in
the prior Squid releases.


The major changes to be aware of since 5.0.4:

  * SQUID-2020:11 HTTP Request Smuggling
    (CVE-2020-25097)

This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid
security controls.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6>


  * SQUID-2021:1 Denial of Service in URN processing
    (CVE-2021-28651)

This problem allows a malicious server in collaboration with a
trusted client to consume arbitrarily large amounts of memory
on the server running Squid.

Lack of available memory resources impacts all services on the
machine running Squid. Once initiated the DoS situation will
persist until Squid is shutdown.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4>


  * SQUID-2021:2 Denial of Service in HTTP Response Processing
    (CVE-2021-28662)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without any
malicious intent by the server.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h>


  * SQUID-2021:3 Denial of Service issue in Cache Manager
    (CVE-2021-28652)

This problem allows a trusted client to trigger memory leaks
which over time lead to a Denial of Service against Squid and
the machine it is operating on.

This attack is limited to clients with Cache Manager API access
privilege.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447>


  * SQUID-2021:4 Multiple issues in HTTP Range header
    (CVE-2021-31806, CVE-2021-31807, CVE-2021-31808)

These problems all allow a trusted client to perform Denial of
Service when making HTTP Range requests.

The CVE-2021-31808 problem allows a remote server to perform
Denial of Service when delivering responses to HTTP Range
requests. The issue trigger is a header which can be expected
to exist in HTTP traffic without any malicious intent.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf>


  * SQUID-2021:5 Denial of Service in HTTP Response Processing
    (CVE pending allocation)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without
any malicious intent by the server.

See the advisory for patches:
  
<https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f>


  * TLS/1.3 support improvements

Prior to TLS v1.3 Squid could detect and fetch missing intermediate
server certificates by parsing TLS ServerHello. TLS v1.3 encrypts the
relevant part of the handshake, making such "prefetch" impossible.

This release contains a workaround that should be able to identify
the missing certificates on most (but maybe not all) TLS connections.

This release enhances existing error detailing code so that more
information is logged via the existing %err_code, %err_detail,
%ssl::<negotiated_version and %ssl::>negotiated_version logformat
codes.

Fix certificate validation error handling. This has an immediate
positive effect on the existing reporting of the client
certificate validation errors.


  * Regression in CONNECT URI syntax

Since Peering support for SSL-Bump feature was added CONNECT
request URI have not always contained a port. Squid-5.0.5
and later now correctly send a port number on all requests.


   All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

   http://www.squid-cache.org/Versions/v5/
   ftp://ftp.squid-cache.org/pub/squid/
   ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

   http://www.squid-cache.org/Download/http-mirrors.html
   http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
   http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list