[squid-users] [squid-announce] Squid 4.12 is available

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 19 12:16:44 UTC 2020


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.12 release!


This release is a security release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:

 * SQUID-2020:5 Denial of Service when using SMP cache
   (CVE-2020-14059)

This problem may allow a remote client to trigger a Squid worker
assertion.

This attack is limited to SMP Squids using shared memory cache
and/or an SMP rock disk cache.


See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_5.txt>


 * SQUID-2020:6 Denial of Service issue in TLS handshake
   (CVE-2020-14058)

This problem allows a trusted client to perform Denial of Service
when opening TLS connections with a server for HTTPS.

This problem allows a trusted client to perform Denial of Service
when opening TLS connections to a server for SSL-Bump intercepted
transactions.

This attack is limited to Squid built with OpenSSL features and
opening peer or server connections for HTTPS traffic and SSL-Bump
server handshakes.

See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt>


 * Bug 5041: Missing Debug::Extra breaks build on hosts with systemd

A regression was introduced with the fix for bug 5016 in Squid-4.11.
Which shows up as build errors when libsystemd dependency is
added to enable the systemd notify feature explicitly. This release
fixes the regression and actually enables the feature.


 * Bug 5030: Negative responses are never cached

This bug shows up as cacheable 4xx and 5xx responses not being
cached despite negative_ttl configuration. This release brings
4xx and 5xx responses inline with the expected caching behaviour.


 * SslBump: Disable OpenSSL TLSv1.3 support for older TLS traffic

Squid SSL-Bump features do not support TLS/1.3 protocol.
Previously client or server attempting to use TLS/1.3 would
result in "inappropriate fallback" errors negotiating handshakes.

This release explicitly detects use of TLS/1.3 and disables it.



  All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce


More information about the squid-users mailing list