[squid-announce] Squid 3.5.17 is available
Amos Jeffries
squid3 at treenet.co.nz
Thu Apr 21 11:28:47 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.17 release!
This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:5 - Buffer overflow in cachemgr.cgi
http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
aka. CVE-2016-4051
Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.
* SQUID-2016:6 - Multiple issues in ESI processing.
http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054
This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.
At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.
Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
at risk. Check the advisory for more specific details on determining
whether your Squid is vulnerable.
* Bug #4481: varyEvaluateMatch: Oops. Not a Vary match on second attempt
This bug was a regression introdued by the CVE-2016-3948 patch. Any
Squid patched for that issue should have this bug patched as well.
* Bug 4465: Header forgery detection leads to crash
This very annoying bug has finally been tracked down and solved.
* Add chained and signing cert to peek-then-bumped connections.
Until now Squid with this particular configuration case was only
delivering one of the certificates in the chain. Which can cause
problems when the clients are configured with a CA higher up the chain
than the one Squid is using to sign generated domain certs.
>From this release onwards Squid will deliver the whole certificate chain
and let the client determine whether it wil be trusted or not.
All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list