[squid-users] [squid-announce] Squid 3.5.15 is available

Dmitry Melekhov dm at belkam.com
Wed Feb 24 06:10:06 UTC 2016


Hello!

After installing 3.5.15 on ubuntu 12.04 I get squid crash:


2016/02/24 10:07:23 kid1| assertion failed: FwdState.cc:447: 
"serverConnection() == conn"

3.5.14 had no such problem.

Thank you!



24.02.2016 08:46, Amos Jeffries пишет:
> The Squid HTTP Proxy team is very pleased to announce the availability
> of the Squid-3.5.15 release!
>
>
> This release is a security release resolving several major
> vulnerabilities found in the prior Squid releases.
>
>
> The major changes to be aware of:
>
>
> * SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
>    processing
>
>      http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
>
> The visible symptoms of these are various assertions about:
>   "String.cc:*: 'len_ + len <65536'"
>   "store.cc:*: 'isEmpty()'"
>
> There are a number of known attacks involved for both of these
> assertions. Almost all are now fully fixed or rendered harmless to other
> transactions. However some hard to trigger ones are not yet resolved.
>
> Normally we would not release this advisory and packages until a full
> fix or workaround was confirmed. However these assertions have recently
> become the topic of a lot of public discussion and a trivial PoC is now
> available. We have chosen to release the existing fixes now as work
> continues towards a final resolution.
>
>    All Squid-3 and Squid-4 releases to date are affected.
>
> See the advisory for further details. Upgrade or patching should be
> considered a high priority.
>
>
>
>   All users of Squid-3 or older are urged to upgrade to this release as
> soon as possible.
>
>
>   See the ChangeLog for the full list of changes in this and earlier
>   releases.
>
> Please refer to the release notes at
> http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
> when you are ready to make the switch to Squid-3.5
>
> Upgrade tip:
>    "squid -k parse" is starting to display even more
>     useful hints about squid.conf changes.
>
> This new release can be downloaded from our HTTP or FTP servers
>
>   http://www.squid-cache.org/Versions/v3/3.5/
>   ftp://ftp.squid-cache.org/pub/squid/
>   ftp://ftp.squid-cache.org/pub/archive/3.5/
>
> or the mirrors. For a list of mirror sites see
>
>   http://www.squid-cache.org/Download/http-mirrors.html
>   http://www.squid-cache.org/Download/mirrors.html
>
> If you encounter any issues with this release please file a bug report.
> http://bugs.squid-cache.org/
>
>
> Amos Jeffries
> _______________________________________________
> squid-announce mailing list
> squid-announce at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-announce
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list