[squid-announce] Squid 4.0.10 beta is available

Amos Jeffries squid3 at treenet.co.nz
Mon May 9 08:24:24 UTC 2016


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.10 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:7 - Cache poisoning issue in HTTP Request handling

    http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
    aka. CVE-2016-4553

 Due to incorrect data validation of intercepted HTTP Request
 messages Squid is vulnerable to clients bypassing the protection
 against CVE-2009-0801 related issues. This leads to cache
 poisoning.


* SQUID-2016:9 - Multiple Denial of Service issues in ESI.

    http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
    aka. CVE-2016-4555 and CVE-2016-4556.

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.


* Accumulate fewer unknown-size responses to avoid overwhelming disks.

Earlier Squid had the behaviour of accumulating large amounts of data in
RAM for unknown-size objects before deciding where to cache them. That
could result in the disk I/O controller and CPU being overwhelmed with
data write operations. In outward appearance Squid would 'hang' for a
short time, then recover. If the overall traffic loading was also very
high the traffic speed could drop noticeably.

This release improves the descision making process. It should result in
lower RAM requirements for some client transactions, and also smoother
disk I/O and CPU usage under high loads.


* Fix a shared memory corruption when storing multi-slot (>32KB) MISS

This is a recent regression in Squid-4.0.8. Other Squid releases are not
affected. It could have resulted in corrupt objects being stored into
disk cache, so erasing and rebuilding disk caches used by affected
Squid-4 is recommended.


 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries



More information about the squid-announce mailing list