[squid-announce] Squid 3.5.15 is available
Amos Jeffries
squid3 at treenet.co.nz
Wed Feb 24 04:46:30 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.15 release!
This release is a security release resolving several major
vulnerabilities found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
processing
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
The visible symptoms of these are various assertions about:
"String.cc:*: 'len_ + len <65536'"
"store.cc:*: 'isEmpty()'"
There are a number of known attacks involved for both of these
assertions. Almost all are now fully fixed or rendered harmless to other
transactions. However some hard to trigger ones are not yet resolved.
Normally we would not release this advisory and packages until a full
fix or workaround was confirmed. However these assertions have recently
become the topic of a lot of public discussion and a trivial PoC is now
available. We have chosen to release the existing fixes now as work
continues towards a final resolution.
All Squid-3 and Squid-4 releases to date are affected.
See the advisory for further details. Upgrade or patching should be
considered a high priority.
All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list