[squid-announce] Squid 5.0.4 beta is available
Amos Jeffries
squid3 at treenet.co.nz
Sun Aug 23 08:17:14 UTC 2020
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.4 beta release!
This release is a security and feature update release resolving
several issues found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2020:8 HTTP(S) Request Splitting
(CVE-2020-15811)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv>
* SQUID-2020:9 Denial of Service processing Cache Digest Response
(CVE pending allocation)
This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.
This attack is limited to Squid using cache_peer with cache
digests feature.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg>
* SQUID-2020:10 HTTP(S) Request Smuggling
(CVE-2020-15810)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m>
* Add http_port sslflags=CONDITIONAL_AUTH
This release extends the client certificate features to allow
optional certificate authentication.
The existing DELAYED_AUTH flag would delay the certificate request,
then reject all clients who cannot present a valid certificate
on request.
With CONDITIONAL_AUTH Squid will just request and validate SSL
client certificates. Any rejection or use of those certificates
is left to other configuration settings.
* Improved CONNECT tunnel handling
This release contains several small but important changes to how
Squid handles CONNECT tunnels opened with servers. Particularly
in cases of server TCP connection failure and switching between
upstream peers.
A lot of annoying on_unsupported_protocol and HTTPS forwarding
behaviour issues with previous releases should be resolved by
these changes.
All users of Squid-5 are urged to upgrade as soon as possible.
All users of Squid-4 and older are encouraged to plan for upgrade.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list