[squid-users] [squid-announce] Squid 4.10 is available
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 3 14:18:56 UTC 2020
On 4/02/20 12:54 am, Amos Jeffries wrote:
> The Squid HTTP Proxy team is very pleased to announce the availability
> of the Squid-4.10 release!
>
>
> This release is a security release resolving several issues found in
> the prior Squid releases.
>
>
> The major changes to be aware of:
>
>
> * SQUID-2020:1 Improper Input Validation issues in HTTP Request
> processing
> (CVE-2020-8449, CVE-2020-8450)
>
> This issue allows attackers to perform denial of service on the
> proxy and all clients using it.
>
> This issue potentially allows attackers to bypass security access
> controls in systems between client and proxy.
>
> This issue potentially allows remote code execution under the
> proxy low-privilege level. While restricted, it does have access
> to a wide range of information about the network structure and
> other clients using the proxy.
>
> This issue is limited to Squid acting as a reverse-proxy. Some
> effects also require allow_direct permissions.
>
> See the advisory for updated patches:
> <http://www.squid-cache.org/Advisories/SQUID-2020_1.txt>
>
>
> Please note that NTLM is a deprecated authentication mechanism.
> All users of this tool are advised to plan migration to
> Negotiate/Kerberos authentication.
>
Apologies. This note was supposed to be under SQUID-2020:3 issue.
The issue(s) above are not related to NTLM.
>
> * SQUID-2020:2 Information Disclosure issue in FTP Gateway.
> (CVE-2019-12528)
>
> Certain FTP server responses can result in Squid revealing
> random amounts of memory content from heap.
>
> When Squid mempools feature is enabled the leak is limited to
> lines in FTP directory listings, possibly from other clients.
>
> When mempools is disabled the information may be anything from
> the heap area including information from other processes on the
> machine.
>
> See the advisory for more details:
> <http://www.squid-cache.org/Advisories/SQUID-2020_2.txt>
>
>
> * SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
> (CVE-2020-8517)
>
> This problem is limited to installations using the ext_lm_group_acl
> binary (previously shipped as mswin_check_lm_group).
>
> Due to incorrect input validation the NTLM authentication
> credentials parser in ext_lm_group_acl may write to memory
> outside the credentials buffer.
>
> On systems with memory access protections this can result in
> the the helper process being terminated unexpectedly. Resulting
> in Squid process also terminating and a denial of service for
> all clients using the proxy.
>
> See the advisory for more details:
> <http://www.squid-cache.org/Advisories/SQUID-2020_3.txt>
>
>
> * Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
>
> This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The
> issues was incorrect memory alignment with certain cache sizes. This
> Squid release now forces alignment of the critical rock page details.
>
>
> * Bug 4735: Truncated chunked responses cached as whole
>
> This bug shows up as clients getting the cached truncated response
> objects until the cache object expires or is force removed.
>
> In absence of partial-object caching this Squid release treats
> incomplete responses as non-cacheable and prevents the chunked encoding
> terminator chunk being delivered to the active client(s).
>
>
> * Fix server_cert_fingerprint on cert validator-reported errors
>
> This bug shows up as a server_cert_fingerprint ACL mismatch when
> sslproxy_cert_error directive was applied to validation errors reported
> by the certificate validator, because the ACL could not find the server
> certificate.
>
>
> All users of Squid are urged to upgrade as soon as possible.
>
>
> See the ChangeLog for the full list of changes in this and earlier
> releases.
>
> Please refer to the release notes at
> http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
> when you are ready to make the switch to Squid-4
>
> This new release can be downloaded from our HTTP or FTP servers
>
> http://www.squid-cache.org/Versions/v4/
> ftp://ftp.squid-cache.org/pub/squid/
> ftp://ftp.squid-cache.org/pub/archive/4/
>
> or the mirrors. For a list of mirror sites see
>
> http://www.squid-cache.org/Download/http-mirrors.html
> http://www.squid-cache.org/Download/mirrors.html
>
> If you encounter any issues with this release please file a bug report.
> http://bugs.squid-cache.org/
>
>
> Amos Jeffries
> _______________________________________________
> squid-announce mailing list
> squid-announce at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-announce
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list