[squid-users] [squid-announce] Squid 3.4.12 is available

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 19 00:01:51 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.12 release!


This release is a security fix release resolving several major issues
found in the prior Squid releases.

    REMINDER: This and older releases are already deprecated by
              Squid-3.5 availablility.


The major changes to be aware of:


* Bug #3997: Excessive NTLM or Negotiate auth helper annotations

This bug appears whenever NTLM or Negotiate authentication are taking
place. On a busy server the outward appearance is excessive CPU usage
and associated loss of performance, a memory "leak" may also be seen
depending on the size of authentication token. This state appears at
the worst possible moments when users are busy, and disappears some
time after users stop accessing the proxy.

Deepest apologies that this took so long to pin down, and a great
big Thank You to Steve Hill for tracking it down in the end.


* Bug #4066: Digest auth nonce indefinite rollover

This bug prevented the backend authentication system being contacted
to re-verify user credentials after their TTL has expired. Making it
near impossible to kick off an active user by closing their account or
changing password.

Please note that while this does have a security impact it is NOT
being considerd for an advisory with CVE rating since the user has to
properly authenticate before they can abuse this.

A big Thank You to Frederic Bourgeois for tracking this one down.


* Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.

This bug was behind the strange behaviour on some installations where
TOS/Diffserv packet markings were not being performed despite explicit
configuration. Squid is now retaining the needed security permissions.


* Add TLS/SSL option NO_TICKET to http[s]_port

Squid now supports configuration of the TLS session ticket extension.
Specifically disabling it in situations where its undesirable to allow
OpenSSL the feature.




 All users are encouraged to upgrade to the 3.5 series.

 All users of older 3.4 are urged to upgrade to this release as soon
as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU5SfuAAoJELJo5wb/XPRjkoAH/2oCy+NcBYGpv5B70omId8Nr
JkaL0YzDYm2zhPtaSlC8MfVigE8OpA9C95vz2FEvE4/5rMS/6y3Hi1ObWlzPf3N2
iqf7GIuxNo5D200Wzh4j7lMAz+pwEKorK9y+4hssgLfEgkKHp+1SPTGgY3h5HHsP
8TAikJVg40b6pfFihVEyOgYSlMhxYUvehlKt/B6Zm/fUdYu/71xyhp+YG4KK4GYZ
rHRSDzhCFsy/xDSdwjK25fIaPVzl5kQ6poukZ8nkMDKDtfRRGadi/e0pBPlkniN2
pvPkRR1ibqMomO0tAnr9ITu6GNVcPzPhxuUo4Pi+1VYXRN2AJ3Fynx4yPJPUpRw=
=A1g0
-----END PGP SIGNATURE-----
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce


More information about the squid-users mailing list