[squid-announce] Squid 3.4.8 is available

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 2 06:38:05 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.8 release!


This release is a security release resolving several vulnerability
issues found in the prior Squid releases.


The major changes to be aware of:


* CVE-2014-6270 : SQUID-2014:3 Buffer overflow in SNMP processing

  http://www.squid-cache.org/Advisories/SQUID-2014_3.txt

This vulnerability allows any client who is allowed to send SNMP
packets to the proxy to perform a denial of service attack on Squid.

The issue came to light as the result of active 0-day attacks. Since
publication several other attack sightings have been reported.


* CVE-2014-7141 and CVE-2014-7142 : SQUID-2014:4

  http://www.squid-cache.org/Advisories/SQUID-2014_4.txt

These vulnerabilities allow a remote attack server to trigger DoS or
information leakage by sending various malformed ICMP and ICMPv6
packets to the Squid pinger helper.
The worst-case DoS scenario is a rarity, a more common impact will be
general service degradation for high-performance systems relying on
the pinger for realtime network measurement.


 All users of Squid are urged to upgrade to this release as soon as
possible.



 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJULPLNAAoJELJo5wb/XPRj/NAIAMO57Ofcb3KxNRca4KL5MqYA
O3wRlXqtyZB9BOM16+p6RJgUHGBQjclyKe5y1p327Ic/6VD0sT1t8irVKfOeysND
o3jy29J9m0fCQ3nE738tu0bd4e/CWUXYKhoF39ZtRxL5dbDEle1osEaBzrn8dKLY
5WoFAxrvTw1LndRyBt47ch1WSzLnhaf7f4HeqXhvTt92gZOnKUXnEJJKVzmJ2HUb
WYcbw/IvPNHW+EFPlJyQPj/rBmZqHljsew2/Uq4fgnERSzh5+GVp/UjhOHQusA4W
7j28DMZLtYk5JQAO/amVZSCeqWN/pgiHTD0lYsVvu6/Zv5Bf09SIgomwReV9vYo=
=T238
-----END PGP SIGNATURE-----


More information about the squid-announce mailing list