Amos Jeffries
2018-10-28 16:09:02 UTC
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.4 release!
This release is a security and bug fix release resolving several issues
found in the prior Squid releases.
The major changes to be aware of:
* SQUID-1018:4
Cross-Site Scripting issue in TLS error processing
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
This problem allows a malicious HTTPS server to trigger error
page delivery to a client and also inject arbitrary HTML code
into the resulting error response.
This problem is limited to Squid built with TLS / SSL support.
* SQUID-2018:5
Denial of Service issue in SNMP processing.
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt
This problem allows a remote attacker to consume all memory
available to the Squid process, causing it to crash.
In environments where per-process memory restrictions are not
enforced strictly, or configured to large values this may also
affect other processes operating on the same machine. Leading to
a much worse denial of service situation.
This problem is limited to Squid built with SNMP support and
receiving SNMP traffic.
* Bug 4893: Malformed %>ru URIs for CONNECT requests
This bug showed up as "://host:port" URLs being logged for some CONNECT
transactions in Squid-4.2 and 4.3. This release reverts Squid to the
previous log output.
* Fix %USER_CA_CERT_xx and %USER_CERT_xx
Previous Squid-4 would crash when these macros where used to pass values
to external ACL helpers. This issue is now fully resolved.
* Support compilation with minimal OpenSSL
Squid would not build successfully against an OpenSSL library
which had itself been built to omit deprecated features and API.
This Squid release should build in these minimized environments.
All users of Squid-4 are urged to upgrade as soon as possible.
All users of Squid-3 are encouraged to upgrade where possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v4/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/4/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
of the Squid-4.4 release!
This release is a security and bug fix release resolving several issues
found in the prior Squid releases.
The major changes to be aware of:
* SQUID-1018:4
Cross-Site Scripting issue in TLS error processing
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
This problem allows a malicious HTTPS server to trigger error
page delivery to a client and also inject arbitrary HTML code
into the resulting error response.
This problem is limited to Squid built with TLS / SSL support.
* SQUID-2018:5
Denial of Service issue in SNMP processing.
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt
This problem allows a remote attacker to consume all memory
available to the Squid process, causing it to crash.
In environments where per-process memory restrictions are not
enforced strictly, or configured to large values this may also
affect other processes operating on the same machine. Leading to
a much worse denial of service situation.
This problem is limited to Squid built with SNMP support and
receiving SNMP traffic.
* Bug 4893: Malformed %>ru URIs for CONNECT requests
This bug showed up as "://host:port" URLs being logged for some CONNECT
transactions in Squid-4.2 and 4.3. This release reverts Squid to the
previous log output.
* Fix %USER_CA_CERT_xx and %USER_CERT_xx
Previous Squid-4 would crash when these macros where used to pass values
to external ACL helpers. This issue is now fully resolved.
* Support compilation with minimal OpenSSL
Squid would not build successfully against an OpenSSL library
which had itself been built to omit deprecated features and API.
This Squid release should build in these minimized environments.
All users of Squid-4 are urged to upgrade as soon as possible.
All users of Squid-3 are encouraged to upgrade where possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v4/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/4/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries