[squid-users] [squid-announce] Squid 5.0.2 beta is available

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 23 09:03:02 UTC 2020


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.2 beta release!


This release is a security and feature update release resolving
several issues found in the prior Squid releases.


The major changes to be aware of:


 * SQUID-2019:12 Multiple issues in ESI Response processing
   (CVE-2019-12519, CVE-2019-12521)

These problems allow a remote server delivering certain ESI
response syntax to trigger a buffer overflow.

On systems with heap overflow protection overflow will shutdown
the proxy causing a denial of service for all clients accessing
the Squid service.

On systems with ESI buffer pooling (the default) overflow will
truncate portions of generated payloads. Poisoning the HTTP
response cache with corrupted objects.

The CVE-2019-12519 issue also overwrites arbitrary attacker
controlled information onto the process stack. Allowing remote
code execution with certain crafted ESI payloads.

These problems are restricted to ESI responses received from an
upstream server. Attackers have to compromise the server or
transmission channel to utilize these vulnerabilities.

See the advisory for updated patches:
 <http://www.squid-cache.org/Advisories/SQUID-2019_12.txt>


 * SQUID-2020:4 Multiple issues in HTTP Digest authentication.
   (CVE-2020-11945)

Due to an integer overflow bug Squid is vulnerable to credential
replay and remote code execution attacks against HTTP Digest
Authentication tokens.

When memory pooling is used this problem allows a remote client
to replay a sniffed Digest Authentication nonce to gain access
to resources that are otherwise forbidden.

When memory pooling is disabled this problem allows a remote
client to perform remote code execution through the free'd nonce
credentials.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2020_4.txt>


* SQUID-2019:11 (CVE-2019-18679) complete fix

The initial patch for this vulnerability significantly hardened
against attacks. However it was still possible for an attacker
to gain information over time about a Squid instance.

This release completely removes that possibility.


 * Bug 5030: Negative responses are never cached

This bug shows up as cacheable 4xx and 5xx responses not being
cached despite negative_ttl configuration. This release brings
4xx and 5xx responses inline with the expected caching behaviour.


 * Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs

Please note that as of this fix cache.log and stderr output from
several Squid processes has changed significantly.

All output from the Squid master process is now delivered to its
stderr and logged by the OS according to kernel policy for daemons.
Typically that means the kernel 'messages' log and/or system boot
log. This includes all information logged during the lifetime of
the Squid instance by the master process.

All output from the coordinator and kid processes is logged to
cache.log. cache.log is opened slightly earlier than in previous
Squid releases, and information logged prior to its opening is no
longer logged.


 * High precision time units

This feature addition to squid.conf allows some configuration options
to accept high precision (nanosecond) resolution settings. At this
time most settings are left with their existing range of values.
Changes are detailed in the release notes for altered directives.


  All users of Squid-5 are urged to upgrade as soon as possible.

  All users of Squid-4 and older are encouraged to plan for upgrade.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v5/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce


More information about the squid-users mailing list