[squid-users] [squid-announce] Squid 3.5.28 is available
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 31 06:08:36 UTC 2018
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.28 release!
This release is a security fix release resolving several major issues
found in the prior Squid releases.
REMINDER: This and older releases are already deprecated by
Squid-4.1 availability.
The major changes to be aware of:
* SQUID-2018:1 / CVE-2018-1000024
Crash processing SSL-Bumped traffic containing ESI
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Squid-3.5 is also vulnerable to some regular ESI server responses
also triggering this issue.
This problem is limited to the Squid custom ESI parser.
Squid built to use libxml2 or libexpat XML parsers do not have
this problem.
* SQUID-2018:2 / CVE-2018-1000027
Crash handling responses to internally generated requests
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
* SQUID-2018:3 / CVE-2018-1172
Crash in ESI Response processing
http://www.squid-cache.org/Advisories/SQUID-2018_3.txt
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
* Bug 4829: IPC shared memory leaks when disker queue overflows
This bug occurs when Squid is configured with rock only storage. After
a long period of high load or a shorter period of extremely high load,
disk IO drops entirely. Even after giving Squid time to recover and
then resuming a low load the diskers were just not doing anything.
A lot of "run out of shared memory pages for IPC I/O" errors may be
seen during the high load, which continues to remain on smaller loads
after the recovery time.
* Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
This problem appears as a crash when Squid is operating with multiple
workers and receiving IPv6 SNMP queries.
* Bug 2821: Ignore Content-Range in non-206 responses
Squid used to honor Content-Range header in HTTP 200 OK (and possibly
other non-206) responses, truncating (and possibly enlarging) some
response bodies. RFC 7233 declares Content-Range meaningless for
standard HTTP status codes other than 206 and 416. Squid now relays
meaningless Content-Range as is, without using its value.
* SSL-Bump: fix authentication with schemes other than Basic
Squid-3.4.5 included a fix for handling Basic authentication of a
CONNECT tunnel which is being bump'ed. Requests within it were
intended to inherit the credentials of the tunnel. Allowing Squid ACLs
to use authentication tests on the bumped traffic.
This release finally extends that fix to make bumped traffic inherit
the authentication credentials from the CONNECT tunnel regardless of
authentication type.
* TPROXY: Fix clientside_mark and client port logging
The clientside_mark ACL was not working with TPROXY because a
conntrack query could not find connmark without a true client port.
This also affected helpers and ACLs using client dst-port number
prior to logging when traffic was received with TPROXY.
* Fix "Cannot assign requested address" for to-origin TPROXY FTP data
This release adds the capability for TPROXY to be used on Native FTP
traffic (received at ftp_port). Prior releases would present the above
error when establishing FTP data connection and abort the transaction.
All users of Squid-3 with SSL-Bump functionality are encouraged to
upgrade to this release as soon as possible.
All other users of Squid-3 are encouraged to upgrade to this release
as time permits.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
More information about the squid-users
mailing list