[squid-announce] Squid 4.0.10 beta is available
Amos Jeffries
squid3 at treenet.co.nz
Mon May 9 08:24:24 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.10 release!
This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:7 - Cache poisoning issue in HTTP Request handling
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
aka. CVE-2016-4553
Due to incorrect data validation of intercepted HTTP Request
messages Squid is vulnerable to clients bypassing the protection
against CVE-2009-0801 related issues. This leads to cache
poisoning.
* SQUID-2016:9 - Multiple Denial of Service issues in ESI.
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
aka. CVE-2016-4555 and CVE-2016-4556.
These problems allow a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
* Accumulate fewer unknown-size responses to avoid overwhelming disks.
Earlier Squid had the behaviour of accumulating large amounts of data in
RAM for unknown-size objects before deciding where to cache them. That
could result in the disk I/O controller and CPU being overwhelmed with
data write operations. In outward appearance Squid would 'hang' for a
short time, then recover. If the overall traffic loading was also very
high the traffic speed could drop noticeably.
This release improves the descision making process. It should result in
lower RAM requirements for some client transactions, and also smoother
disk I/O and CPU usage under high loads.
* Fix a shared memory corruption when storing multi-slot (>32KB) MISS
This is a recent regression in Squid-4.0.8. Other Squid releases are not
affected. It could have resulted in corrupt objects being stored into
disk cache, so erasing and rebuilding disk caches used by affected
Squid-4 is recommended.
All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.
All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v4/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/4/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list