[squid-announce] Squid 4.0.17 beta is available

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 17 16:04:13 UTC 2016


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.17 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* SQUID-2016:10 Information disclosure in Collapsed Forwarding
 <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.

This problem only affects Squid configured to use the Collapsed
Forwarding feature. It is of particular importance for HTTPS
reverse-proxy sites with Collapsed Forwarding.

This problem is present on all 3.5 releases, though 3.5.22 is hit worst
due to the collapsed revalidation extension increasing the scope of
traffic which can be collapsed.


* SQUID-2016:11 Information disclosure in HTTP Request processing
 <http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.

This vulnerability is present in all Squid-3.1 and later versions. The
only known workaround is to prevent caching entirely, which is far from
ideal.


* TLS: Support tunneling of bumped non-HTTP traffic

Previously, the use of "on_unsupported_protocol tunnel" resulted in
encrypted HTTP 400 (Bad Request) messages sent to clients that do not
speak HTTP(S). Such as Skype groups, which appear to use TLS-encrypted
MSNP protocol instead of HTTPS.

This Squid allows admins using SslBump to tunnel Skype groups and
similar non-HTTP traffic bytes via "on_unsupported_protocol tunnel all".



 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries



More information about the squid-announce mailing list