[squid-users] Squid 3.5.9 RPM are available

Thu Sep 24 00:00:38 UTC 2015

Since it's a security release I will not write an article this time.
But I am happy to release the new RPMs for squid cache 3.5.9.

In this release the major thing is a security update while I have ECAP 
support for the CentOS 7 RPMs.
It is now a requirement for squid on CentOS 7 to have libecap libs 
installed which are available thru the Squid RPM 
REPO[http://wiki.squid-cache.org/KnowledgeBase/CentOS].

It is advised to update into the 3.5.9 if you are using ssl-bump.

Eliezer

On 21/09/2015 13:43, Amos Jeffries wrote:
> The Squid HTTP Proxy team is very pleased to announce the availability
> of the Squid-3.5.9 release!
>
>
> This release is a security and bug fix release resolving issues found in
> the prior Squid releases.
>
>
> The major changes to be aware of:
>
>
> * SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
>    processing
>
> These problems allow any trusted client or external server to
> perform a denial of service attack on the Squid service and all
> other services on the same machine.
>
> However, the bugs are exploitable only if you have configured a
> Squid-3.5 listening port with ssl-bump.
>
> The visible signs of these bugs are a Squid crash or high CPU usage.
> Skype is known to trigger the crash and/or a small amount of extra CPU
> use unintentionally. Malicious traffic is possible which could have
> severe effects.
>
>
> * Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
>
> The SMB LanMan authentication helper in Squid-3.2 and later has been
> rejecting valid user credentials.
>
> Reminder: Use of this helper is deprecated. We strongly recommend
> against using it. LanMan authentication gives the illusion of
> transmitting NTLM protocol while actually transmitting username and
> password with crypto algorithms that can be decoded in real-time (this
> helper relies on that ability). The combination makes it overall less
> secure than even HTTP Basic authentication.
>
>
> * TLS: Support SNI on generated CONNECT after peek
>
> When Squid generates CONNECT requests it will now attempt to use the
> client SNI value if any is known.
>
> Note that SNI is found during an ssl_bump peek action, so will only be
> available on some generated CONNECT. Intercepted traffic will always
> begin with a raw-IP CONNECT message which must pass access controls and
> adaptations before ssl_bump peek is even considered.
>
>
> * Quieten UFS cache maintenance skipped warnings
>
> This resolves the log noise encountered since the 3.5.8 release when
> large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.
>
>
>
>   All users of Squid are urged to upgrade to this release as soon as
> possible.
>
>
>   See the ChangeLog for the full list of changes in this and earlier
>   releases.
>
> Please refer to the release notes at
> http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
> when you are ready to make the switch to Squid-3.5
>
> Upgrade tip:
>    "squid -k parse" is starting to display even more
>     useful hints about squid.conf changes.
>
> This new release can be downloaded from our HTTP or FTP servers
>
>   http://www.squid-cache.org/Versions/v3/3.5/
>   ftp://ftp.squid-cache.org/pub/squid/
>   ftp://ftp.squid-cache.org/pub/archive/3.5/
>
> or the mirrors. For a list of mirror sites see
>
>   http://www.squid-cache.org/Download/http-mirrors.html
>   http://www.squid-cache.org/Download/mirrors.html
>
> If you encounter any issues with this release please file a bug report.
> http://bugs.squid-cache.org/
>
>
> Amos Jeffries
> _______________________________________________
> squid-announce mailing list
> squid-announce at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-announce
>