[squid-users] [squid-announce] Squid 4.10 is available

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 3 14:18:56 UTC 2020


On 4/02/20 12:54 am, Amos Jeffries wrote:
> The Squid HTTP Proxy team is very pleased to announce the availability
> of the Squid-4.10 release!
> 
> 
> This release is a security release resolving several issues found in
> the prior Squid releases.
> 
> 
> The major changes to be aware of:
> 
> 
>  * SQUID-2020:1 Improper Input Validation issues in HTTP Request
>    processing
>    (CVE-2020-8449, CVE-2020-8450)
> 
> This issue allows attackers to perform denial of service on the
> proxy and all clients using it.
> 
> This issue potentially allows attackers to bypass security access
> controls in systems between client and proxy.
> 
> This issue potentially allows remote code execution under the
> proxy low-privilege level. While restricted, it does have access
> to a wide range of information about the network structure and
> other clients using the proxy.
> 
> This issue is limited to Squid acting as a reverse-proxy. Some
> effects also require allow_direct permissions.
> 
> See the advisory for updated patches:
>  <http://www.squid-cache.org/Advisories/SQUID-2020_1.txt>
> 
> 
> Please note that NTLM is a deprecated authentication mechanism.
> All users of this tool are advised to plan migration to
> Negotiate/Kerberos authentication.
> 

Apologies. This note was supposed to be under SQUID-2020:3 issue.
The issue(s) above are not related to NTLM.

> 
>  * SQUID-2020:2 Information Disclosure issue in FTP Gateway.
>    (CVE-2019-12528)
> 
> Certain FTP server responses can result in Squid revealing
> random amounts of memory content from heap.
> 
> When Squid mempools feature is enabled the leak is limited to
> lines in FTP directory listings, possibly from other clients.
> 
> When mempools is disabled the information may be anything from
> the heap area including information from other processes on the
> machine.
> 
> See the advisory for more details:
>  <http://www.squid-cache.org/Advisories/SQUID-2020_2.txt>
> 
> 
>  * SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
>    (CVE-2020-8517)
> 
> This problem is limited to installations using the ext_lm_group_acl
> binary (previously shipped as mswin_check_lm_group).
> 
> Due to incorrect input validation the NTLM authentication
> credentials parser in ext_lm_group_acl may write to memory
> outside the credentials buffer.
> 
> On systems with memory access protections this can result in
> the the helper process being terminated unexpectedly. Resulting
> in Squid process also terminating and a denial of service for
> all clients using the proxy.
> 
> See the advisory for more details:
>  <http://www.squid-cache.org/Advisories/SQUID-2020_3.txt>
> 
> 
>  * Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
> 
> This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The
> issues was incorrect memory alignment with certain cache sizes. This
> Squid release now forces alignment of the critical rock page details.
> 
> 
>  * Bug 4735: Truncated chunked responses cached as whole
> 
> This bug shows up as clients getting the cached truncated response
> objects until the cache object expires or is force removed.
> 
> In absence of partial-object caching this Squid release treats
> incomplete responses as non-cacheable and prevents the chunked encoding
> terminator chunk being delivered to the active client(s).
> 
> 
>  * Fix server_cert_fingerprint on cert validator-reported errors
> 
> This bug shows up as a server_cert_fingerprint ACL mismatch when
> sslproxy_cert_error directive was applied to validation errors reported
> by the certificate validator, because the ACL could not find the server
> certificate.
> 
> 
>   All users of Squid are urged to upgrade as soon as possible.
> 
> 
> See the ChangeLog for the full list of changes in this and earlier
> releases.
> 
> Please refer to the release notes at
> http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
> when you are ready to make the switch to Squid-4
> 
> This new release can be downloaded from our HTTP or FTP servers
> 
>   http://www.squid-cache.org/Versions/v4/
>   ftp://ftp.squid-cache.org/pub/squid/
>   ftp://ftp.squid-cache.org/pub/archive/4/
> 
> or the mirrors. For a list of mirror sites see
> 
>   http://www.squid-cache.org/Download/http-mirrors.html
>   http://www.squid-cache.org/Download/mirrors.html
> 
> If you encounter any issues with this release please file a bug report.
>   http://bugs.squid-cache.org/
> 
> 
> Amos Jeffries
> _______________________________________________
> squid-announce mailing list
> squid-announce at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-announce
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 


More information about the squid-users mailing list