[squid-announce] Squid 3.5.19 is available
Amos Jeffries
squid3 at treenet.co.nz
Mon May 9 08:24:39 UTC 2016
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.19 release!
This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:7 - Cache poisoning issue in HTTP Request handling
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
aka. CVE-2016-4553
Due to incorrect data validation of intercepted HTTP Request
messages Squid is vulnerable to clients bypassing the protection
against CVE-2009-0801 related issues. This leads to cache
poisoning.
* SQUID-2016:8 - Header smuggling issue in HTTP Request processing
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
aka. CVE-2016-4554
This problem allows a client to smuggle Host header value past
same-origin security protections to cause Squid operating as
interception or reverse-proxy to contact the wrong origin
server. Also poisoning any downstream cache which stores the
response.
However, the cache poisoning is only possible if the caching
agent (browser or explicit/forward proxy) is not following RFC
7230 processing guidelines and lets the smuggled value through.
Note that all releases of Squid up to and including this one do not
follow that recently added RFC guideline.
* SQUID-2016:9 - Multiple Denial of Service issues in ESI.
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
aka. CVE-2016-4555 and CVE-2016-4556.
These problems allow a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some
regular ESI server responses also triggering one or more of these
issues.
* Bug 4498: URL-unescape the login-info after extraction from URI
This bug shows up as the encoded form of credentials that are
URL-escaped being delivered to the authentication helpers or relayed to
FTP servers if in ftp:// URL when the un-escaped form is needed. It
commonly affects credentials which contain characters other than plain
ASCII alphanumerics.
* TLS: Fix SSL alert message and session resume handling
Pevious Squid did not handle SSL/TLS server responses that start with an
SSL Alert Record and also fails to detect and handle resuming sessions.
* Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
Previous Squid would always send the "-b" command line option to its
certificate generator helper. If the installation was using a custom
helper, this could lead to very annoying issues.
All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list