[squid-announce] Squid 4.0.8 beta is available
Amos Jeffries
squid3 at treenet.co.nz
Sat Apr 2 08:26:37 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.8 release!
This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:4 - Denial of Service issue in HTTP Response processing
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
aka. CVE-2016-3948
This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
"String.cc:*: 'len_ + len <65536'"
There is an attack in the wild for this one, but not as widely as for
the previous issues.
* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.
http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
aka. CVE-2016-3947
This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.
All previous Squid-4 releases are affected by both these issues. See the
advisory for further details. Upgrade should be considered a high priority.
* Bug #3826: SMP compatibility with systemd and --foreground option
The process management redesign in Squid-4 has finally reached a point
where we can say Squid is compatible with the systemd init system even
when SMP workers are used. A .service file is provided to control Squid
properly without any noticable glitches or lack of SMP functionality.
These changes are not specific to systemd, the same design fixes many
outstanding issues Squid had with Upstart and OpenRC init systems and
third party daemon managers in general.
* Bug #1979: Add ACL-driven server_pconn_for_nonretriable
This new squid.conf directive allows admin to tune when Squid can re-use
existing persistent connections for requests such as POST which are
usually quite risky. The risk is that the connection gets terminated
suddenly while Squid is still sending and it has to be bumped back to
the client as an error page. Some networks are loaded with enough
traffic that this is only a low risk and can use persistent connections
fine.
* Bug #4459: FHS compliance updates
The FHS standard indicates the /var/cache/squid/ path should be used for
cached data. The netdb features data journal fully meets the criteria so
has been moved there. The ssl_crtd database (ssl_db/ directory) almost
meets the criteria, and has been moved due to its security need for
particular path permissions.
Explicitly configured alternative locations will remain where they are.
New installations and implicit default paths will automatically change
to using these locations when upgrading to this Squid version.
* Add reply_header_add directive
This new directivs adds the ability to add custom response headers to
replies sent to the client. Matching the already existing
request_header_add directive which operates on server requests. At
present CONNECT tunnels and 1xx status responses are not affected by
this new directive.
* Add reply_header_add directive
When using SMP functionality Squid makes use of shared memory. If the
system is not able to allocate enough memory Squid can crash with SIGBUS
errors.
This new directive adds the ability to pre-allocate all necessary shared
memory when Squid is starting. Doing this will ensure that Squid has the
necessary amount of shared memory available when running (or will halt
during startup), but the process can be quite slow. The default for now
is to retain the old behaviour and allocate shared memory only when it
is needed.
All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.
All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v4/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/4/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list