[squid-announce] Squid 3.5.19 is available

Amos Jeffries squid3 at treenet.co.nz
Mon May 9 08:24:39 UTC 2016


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.19 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:7 - Cache poisoning issue in HTTP Request handling

    http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
    aka. CVE-2016-4553

 Due to incorrect data validation of intercepted HTTP Request
 messages Squid is vulnerable to clients bypassing the protection
 against CVE-2009-0801 related issues. This leads to cache
 poisoning.


* SQUID-2016:8 - Header smuggling issue in HTTP Request processing

    http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
    aka. CVE-2016-4554

 This problem allows a client to smuggle Host header value past
 same-origin security protections to cause Squid operating as
 interception or reverse-proxy to contact the wrong origin
 server. Also poisoning any downstream cache which stores the
 response.

 However, the cache poisoning is only possible if the caching
 agent (browser or explicit/forward proxy) is not following RFC
 7230 processing guidelines and lets the smuggled value through.

 Note that all releases of Squid up to and including this one do not
 follow that recently added RFC guideline.


* SQUID-2016:9 - Multiple Denial of Service issues in ESI.

    http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
    aka. CVE-2016-4555 and CVE-2016-4556.

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.

 Due to unrelated changes Squid-3.5 has become vulnerable to some
 regular ESI server responses also triggering one or more of these
 issues.


* Bug 4498: URL-unescape the login-info after extraction from URI

This bug shows up as the encoded form of credentials that are
URL-escaped being delivered to the authentication helpers or relayed to
FTP servers if in ftp:// URL when the un-escaped form is needed. It
commonly affects credentials which contain characters other than plain
ASCII alphanumerics.


* TLS: Fix SSL alert message and session resume handling

Pevious Squid did not handle SSL/TLS server responses that start with an
SSL Alert Record and also fails to detect and handle resuming sessions.


* Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program

Previous Squid would always send the "-b" command line option to its
certificate generator helper. If the installation was using a custom
helper, this could lead to very annoying issues.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries



More information about the squid-announce mailing list