From kinkie at squid-cache.org  Mon Jul 14 21:04:12 2025
From: kinkie at squid-cache.org (Francesco Chemolli)
Date: Mon, 14 Jul 2025 21:04:12 -0000
Subject: [squid-announce] Squid version 7.1 is available
Message-ID: <CA+Y8hcNvrLDAOXkUN_ujdde0ugVc2XQKqFHKS3oPEPS+T+zTMg@mail.gmail.com>

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-7.1 release!

This release is, we believe, stable enough for general production use.
We encourage all users of any previous major version of Squid to upgrade to it,
as well as users of beta version 7.0.X.

It can be downloaded from GitHub, at
https://github.com/squid-cache/squid/releases/tag/SQUID_7_1


Since version 6, Squid offers:
 * better support for overlapping IP ranges and wildcard domains in acl
 * countless security, portability, and documentation fixes

Since version 6, some previously deprecated features have been removed:
 * Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use
http instead
 * the squdclient tool - use curl
http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's
ntlm_auth instead

Further details can be found in the release notes and in the changelog

Please remember to run "squid -k parse" when testing the upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go".

If you encounter any issues with this release please file a bug report at
https://bugs.squid-cache.org/

-- 
    Francesco Chemolli

From squid3 at treenet.co.nz  Thu Jul 31 16:05:25 2025
From: squid3 at treenet.co.nz (Amos Jeffries)
Date: Fri, 1 Aug 2025 04:05:25 +1200
Subject: [squid-announce] [ADVISORY] SQUID-2025:1 Buffer Overflow in URN
 Handling
Message-ID: <458f4d65-65a6-4e7e-9d1f-156e886b7add@treenet.co.nz>

__________________________________________________________________

     Squid Proxy Cache Security Update Advisory SQUID-2025:1
__________________________________________________________________

Advisory ID:       | SQUID-2025:1, CVE-2025-54574
Date:              | August 1, 2025
Summary:           | Buffer Overflow in URN Handling
Affected versions: | Squid 2.x -> 2.7.STABLE9
                    | Squid 3.x -> 3.5.28
                    | Squid 4.x -> 4.17
                    | Squid 5.x -> 5.9
                    | Squid 6.x -> 6.3
Fixed in version:  | Squid 6.4
__________________________________________________________________

Problem Description:

  Due to incorrect buffer management Squid is vulnerable to a
  heap buffer overflow and possible remote code execution attack
  when processing URN.

__________________________________________________________________

Severity:

  This problem allows a remote server to perform a Buffer Overflow
  attack when delivering URN Trivial-HTTP responses. Potentially
  allowing delivery of up to 4KB of Squid allocated heap memory
  to the client.

  Revealed memory may include security credentials or other
  confidential data.

__________________________________________________________________

Updated Packages:

  This bug is fixed by Squid version 6.4.

  In addition, patches addressing this problem for the stable
  releases can be found in our patch archives:

  Squid 6:
  <https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988>

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

  Squid older than 4.14 have not been tested and should be assumed
  to be vulnerable.

  All Squid-4.x up to and including 4.17 are vulnerable.

  All Squid-5.x up to and including 5.9 are vulnerable.

  All Squid-6.x up to and including 6.3 are vulnerable.

__________________________________________________________________

Workaround:

  Disable URN access permissions.

   acl URN proto URN
   http_access deny URN

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If you install and build Squid from the original Squid sources
  then the <squid-users at lists.squid-cache.org> mailing list is your
  primary support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <https://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
  list (though anyone can post) and security related bug reports
  are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  This vulnerability was discovered by StarryNight.

  Fixed by The Measurement Factory.

__________________________________________________________________

Revision history:
  2023-06-24 08:18:55 UTC Fix published
  2025-07-01 18:40:24 UTC Initial Report
__________________________________________________________________
END