[squid-announce] Squid 3.3.14 is available
Amos Jeffries
squid3 at treenet.co.nz
Fri May 1 15:35:35 UTC 2015
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.3.14 release!
This release is a security fix release resolving several vulnerabilities
found in the prior 3.3 releases.
REMINDER: This and older releases are already deprecated by
Squid-3.4 availablility.
The major changes to be aware of:
* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.
However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" mode of operation.
Sites that do not use SSL-Bump are not vulnerable.
A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.
* CVE-2014-7141, CVE-2014-7142 : SQUID-2014:4 Multiple issues in pinger
ICMP processing.
Several bugs allow any remote server to perform a denial of service
attack on the Squid service by crashing the pinger.
Some of these bugs allow attackers to leak arbitrary amounts of
information from the heap into Squid log files. This is of higher
importance than usual because the pinger process operates with root
priviliges.
* CVE-2014-6270 : SQUID-2014:3 Buffer overflow in SNMP processing
The bug is important because it allows remote attackers to crash Squid,
causing a disruption in service. However, the bug is exploitable only
if you have configured Squid to receive SNMP messages.
Sites that do not use SNMP are not vulnerable.
All users are urged to upgrade as soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go". We are still removing the infamous "Bungled
Config" halting points and adding checks, so if something is not
identified please report it.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.3/RELEASENOTES.html
when you are ready to make the switch to Squid-3.3
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.3/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.3/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list