[squid-announce] Squid 4.0.17 beta is available
Amos Jeffries
squid3 at treenet.co.nz
Sat Dec 17 16:04:13 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.17 release!
This release is a security and bug fix release resolving several issues
found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:10 Information disclosure in Collapsed Forwarding
<http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>
This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.
This problem only affects Squid configured to use the Collapsed
Forwarding feature. It is of particular importance for HTTPS
reverse-proxy sites with Collapsed Forwarding.
This problem is present on all 3.5 releases, though 3.5.22 is hit worst
due to the collapsed revalidation extension increasing the scope of
traffic which can be collapsed.
* SQUID-2016:11 Information disclosure in HTTP Request processing
<http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>
This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.
This vulnerability is present in all Squid-3.1 and later versions. The
only known workaround is to prevent caching entirely, which is far from
ideal.
* TLS: Support tunneling of bumped non-HTTP traffic
Previously, the use of "on_unsupported_protocol tunnel" resulted in
encrypted HTTP 400 (Bad Request) messages sent to clients that do not
speak HTTP(S). Such as Skype groups, which appear to use TLS-encrypted
MSNP protocol instead of HTTPS.
This Squid allows admins using SslBump to tunnel Skype groups and
similar non-HTTP traffic bytes via "on_unsupported_protocol tunnel all".
All users of Squid-4.x are urged to upgrade to this release as
soon as possible.
All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v4/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/4/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list