[squid-announce] Squid 3.5.23 is available
Amos Jeffries
squid3 at treenet.co.nz
Sat Dec 17 16:04:58 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.23 release!
This release is a security and bug fix release resolving several issues
found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:10 Information disclosure in Collapsed Forwarding
<http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>
This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.
This problem only affects Squid configured to use the Collapsed
Forwarding feature. It is of particular importance for HTTPS
reverse-proxy sites with Collapsed Forwarding.
This problem is present on all 3.5 releases, though 3.5.22 is hit worst
due to the collapsed revalidation extension increasing the scope of
traffic which can be collapsed.
* SQUID-2016:11 Information disclosure in HTTP Request processing
<http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>
This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.
This vulnerability is present in all Squid-3.1 and later versions. The
only known workaround is to prevent caching entirely, which is far from
ideal.
* Bug #4169: HIT marked as MISS when If-None-Match does not match
* Bug #3940: Host verify failures MISS when they should be HIT
* Bug #3533: Cache still valid after HTTP/1.1 303 See Other
* Bug #2258: bypassing cache but not destroying cache entry
These bugs all share a common thread of reducing cache efficiency. This
Squid will now leave existing cache content in place for use unless the
new client response is able to be shared with other clients. Some of
these bugs are only partially fixed so further improvements may be possible.
* HTTP/1.1: make Vary:* objects cacheable
Under RFC 2616 responses containing "Vary: *" header were not cachable.
That requirement has been loosened by RFC 7231 and Squid is now able to
cache these responses.
* ssl::server_name ACL badly broken since inception
The original server_name code mishandled all SNI checks and some rare
host checks. This was most visible with the reports that the
ssl::server_name ACL tests would fail where the equivalent regex ACL
test would behave differently, usually by matching. Or in situations
where neither would match despite the value appearing to be available.
* TLS: Make key= before cert= an error instead of quietly hiding the issue
Previous versions of Squid would accept the TLS/SSL key= parameter being
configured first before cert= parameter. But would then silently discard
the key settings when loading the cert file. This would lead to
unexpected behaviour or obscure 'permission' errors.
This release will now produce a FATAL error and halt if configured with
a key= parameter before its matched cert= parameter.
All users of Squid-3 are urged to upgrade to this release as
soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list