[squid-users] [squid-announce] Squid 4.9 is available

Fri Nov 8 14:47:10 UTC 2019

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.9 release!

This release is a security release resolving several issues found in
the prior Squid releases.

The major changes to be aware of:

 * SQUID-2019:6 Multiple Cross-Site Scripting issues in cachemgr.cgi
   (CVE-2019-13345)

The previous fix for this issues turned out to be incomplete. An
additional parameter has been identified as containing the same set of
XSS issues.

See the advisory for updated patches:
 <http://www.squid-cache.org/Advisories/SQUID-2019_6.txt>

Please note that cachemgr.cgi tool is deprecated. All users of this tool
are advised to plan migration to the HTTP manager API provided by
current Squid proxies.

 * SQUID-2019:7 Heap Overflow in URN processing
   (CVE-2019-12526)

This allows a malicious client to write a substantial amount of
arbitrary data to the heap. Potentially gaining ability to
execute arbitrary code.

On systems with memory access protections this can result in
the Squid process being terminated unexpectedly. Resulting in a
denial of service for all clients using the proxy.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_7.txt>

 * SQUID-2019:8 Multiple Issues in URI processing
   (CVE-2019-12523, CVE-2019-18676)

Any remote client may access resources which should be restricted
and not available to them. Such as those protected behind client
IP ACLs. Attacker could also gain access to manager services when
Via header is turned off.

Any remote client can perform a Denial of Service on all other
clients using the proxy.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_8.txt>

 * SQUID-2019:9 Cross-Site Request Forgery in HTTP Request processing
   (CVE-2019-18677)

This issue allows attackers to hide origin servers for phishing
attacks or malware download URLs.

This issue is restricted to proxies with append_domain
configured. It is relatively easy for attackers to probe and
determine whether a target network proxy has this directive
along with its value.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_9.txt>

 * SQUID-2019:10 HTTP Request Splitting in HTTP message processing
   (CVE-2019-18678)

This issue allows attackers to smuggle HTTP requests through
frontend software to a Squid which splits the HTTP Request
pipeline differently. The resulting Response messages corrupt
caches between client and Squid with attacker controlled content
at arbitrary URLs..

Effects are isolated to software between the attacker client and
Squid. There are no effects on Squid itself, nor any upstream
servers.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_10.txt>

 * SQUID-2019:11 Information Disclosure in HTTP Digest Authentication
   (CVE-2019-18679)

Nonce tokens contain the raw byte value of a pointer which sits
within heap memory allocation. This information reduces ASLR
protections and may aid attackers isolating memory areas to
target for remote code execution attacks.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_11.txt>

 * Bug 4966: Lower cache_peer hostname

This shows up as a DNS failure to resolve the peer name if it was
configured with any upper case characters.

The change to always lower-case peer names may affect configurations
relying on mixed case instead of the name= parameter to allow multiple
entries for a peer name and port.

It may also affect configurations using mixed or upper-case peer names
with the peername or peername_regex ACL type. Admin using these
configurations should take extra care when upgrading as the ACL may not
provide any warnings before starting to non-match for a peer.

 * TLS: Multiple SSL-Bump fixes

This release brings multiple important fixes to how Squid SSL-Bump
features parse TLS traffic and interacts with the certificate validation
helper(s).

The issues solved show up as TLS protocol failures with no indication
from TLS traffic trace of any invalid data; or sometimes connection
timeouts. Unfortunately those same effects may come from many other
causes as well which may not be fixed yet.

This version of Squid should now be considered the minimum supported for
debugging TLS protocol weirdness when using SSL-Bump or related features.

 * TLS: Fix expiration of self-signed generated certs to be 3 years

The certificate generator previously was generating certificates
slightly short of 3 years expiry timestamp. This is perfectly valid, but
may be surprising for systems expecting a multiple of years.

This release generates new certificates with the updated time period.
Old certificates will continue to be used with the old period until they
expire, or are discarded from the certificate cache.

 * TLS: Fix on_unsupported_protocol tunnel action

Instead of tunneling traffic, a matching on_unsupported_protocol
"tunnel" action resulted in a Squid error response sent to the client
(or, where an error response was not possible, in a connection closure).

 * Fix several rock cache_dir corruption issues

Previous design of the rock storage system means that rock caches may
become littered with incomplete objects, or objects with incorrect final
chunk. Data protection measures will normally catch these and report
metadata mismatches. However there is a possibility some responses may
be delivered.

It is recommended that users with cache_dir rock configured perform a
cache erase and rebuild procedure during or shortly after upgrading.
 <https://wiki.squid-cache.org/SquidFaq/ClearingTheCache>

  All users of Squid are urged to upgrade as soon as possible.

See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/

Amos Jeffries

_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce