[squid-users] Squid 4.0.23 beta RPM's are available

Eliezer Croitoru eliezer at ngtech.co.il
Sun Feb 4 00:10:35 UTC 2018 

Hey All,

I have just published 4.0.23 RPM's+SRPM's beta packages for:
SLES 12
OpenSUSE Leap 42.3
Oracle Enterprise Linux 7
CentOS 7

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Sunday, January 21, 2018 09:52
To: squid-announce at lists.squid-cache.org
Subject: [squid-users] [squid-announce] Squid 4.0.23 beta is available

The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.0.23 release!


This release is a security vulnerability and bug fix release resolving several issues found in the prior Squid releases.


The major changes to be aware of:

* SQUID-2018:1 Denial of Service issue in ESI Response processing.

Squid would crash when receiving certain ESI syntax from its origin servers. This is particularly problematic for servers which only deliver the relevant syntax on uncommon responses so are not easily detected.

The SSL-Bump feature for HTTPS interception was entangled with reverse-proxy processing (and in some cases may still be). Making use of the SSL-Bump feature also at risk of encountering the responses from servers. Both splice and bump actions are affected.


The fix for Squid-4 is to remove the affected ESI custom parser entirely. The use of libxml2 or libexpat is now required for ESI support. The default behaviour is to auto-select the most preferred library built against.

Installations explicitly choosing "esi_parser custom" in their squid.conf will need to change to one of the above mentioned libraries.


Please see the accompanying ADVISORY for details on determining your 
proxy vulnerability and for patches applicable to older versions.


* SQUID-2018:2 Denial of Service issue in HTTP Message processing.

Squid generating ESI sub-requests and requests by the new auto-Download 
feature for intermediary TLS certificates could lead to crashes when 
preparing to log the transaction. This issue can be triggered on demand 
by clients.

Please see the accompanying ADVISORY for details on determining your 
proxy vulnerability and for patches applicable to older versions.


* Bug 4679: User names not sent to url_rewrite_program

This bug appeared as missing user name in url_rewrite_extras parameters 
to the re-writer program when that name was retrieved via an 
authorization mechanism instead of authorization. Specifically IDENT 
protocol or external ACL helpers.


* Bug 4631: security_file_certgen helper without disk cache

This helpers reliance on disk cache management can slow it down on some 
systems which are otherwise able to generate certificates fast. Running 
it purely from memory is now a possibility to avoid these performance 
issues. However, there is no memory cache as yet so this memory-only 
operation requires generating new certificates on every lookup.

Admin encountering significant speed issues with SSL-Bump are encouraged 
to try this helper behaviour. Others


* Nettle v3.4 support

The Nettle library API used by Squid has undergone several updates 
across its 3.3 and 3.4 releases which make recent Squid not able to 
build with these recent libraries.

This Squid now supports the Nettle-3.4 API, with backward compatibility 
provided if older Nettle versions are being used.


* Fix %<Hs, %<pt, %<tt, %<bs calculation bugs for error responses

These logformat macros/codes were not producing accurate outputs in 
certain transactions. Most issues were related to CONNECT tunnel 
transactions, although some issues occurred in other transactions. All 
known issues with these macros/codes are fixed in this Squid release.



  All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


  See the ChangeLog for the full list of changes in this and earlier
  releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list