The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.2.0.11 beta release!
This release is a security update and bug fix release resolving many of
the regressions found in the prior releases. The details are long, but
please read carefully.
* Advisory SQUID-2011:1 also known as CVE-2009-0801
See the Squid advisory for more details on the problem.
http://www.squid-cache.org/Advisories/SQUID-2011_1.txt
This release compares the textual representations of URL and Host
header for all traffic containing both. In the case of intercepted
traffic the client destination IP is also compared to the Host: headers
DNS entries. When a contradiction is found Squid will log "SECURITY
ALERT: Host: header forgery detected" and respond with a 409 Conflict
error page.
NAT interception *MUST* be performed in the same device as Squid. This
is no longer optional. NAT lookup failures of any kind also become more
important, possibly blocking traffic. At the time of writing we are
aware of NAT issues on OpenBSD and systems using IPFW. Help wanted.
This release also passes intercepted traffic through to the original
NAT destination by default. client_dst_passthru directive is provided to
retain the old Squid behaviour if you require intercepted traffic to
pass through cache_peer.
At the time of writing we are also aware of HTTP header issues with
the Avira anti-virus updater and are working with the vendor to resolve
it. Please contact Avira for an update if this affects you or your clients.
* Advisory SQUID-2011:2 Password truncation in NCSA using DES
The DES algorithm used by the NCSA Basic authentication helper has a
limit of 8 bytes but some (not all) library implementations do not error
or warn when truncating longer passwords down to this limit.
This both significantly lowers the threshold of difficulty decrypting
captured password files and hides from users the fact that the extra
bits provided by their chosen long password are not being utilized.
The NCSA helper bundled with Squid will prevent passwords longer than
8 characters being sent to the DES algorithm. The MD5 hash algorithm
which supports longer than 8 character passwords is also supported by
this helper and should be used instead.
IMPORTANT:
The helper bundled with this release does not warn when rejecting. If
you require a transition period to update your systems please use the
helper bundled with 3.1.15 release. It warns loudly and possibly often,
but allows clients through.
The ACL definitions for manager, localhost and to_localhost are built
into this release in the same way the all ACL was built into 3.1 series.
You may need to remove the old default values of localhost and
to_localhost from your squid.conf. Appending IPs such as the host public
IP to localhost ACL is still possible in the same form as before.
Regular expression ACLs have received some optimization updates. ACL
definitions with multiple entries are now trimmed and compressed for
faster processing. Prefix and suffix wildcards .* are not necessary on
regex. Expect to be warned if this type of wildcard trimming is needed.
Virtual hosting support is made the default mode for accelerator
proxies. Matching HTTP/1.1 expected defaults. The no-vhost option is
added to http_port if you require the old behaviour when the vhost flag
was omitted.
This release logs HTTP traffic headers in full at debug level 11,2
along with connection IP:port details for simpler traffic diagnosis.
This can be a lot of output on busy proxies. Care should be taken not to
flood the logs or disks when debugging.
As usual this release contains all the fixes passed on to 3.1 series
alongside its own changes.
See the ChangeLog for the list of other minor changes in this release.
All users interested in 3.2 features are encouraged to assist testing
this release.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html
when you are ready to make the switch to Squid-3.2
Upgrade tip:
"squid -k parse" is starting to display even more useful hints about
squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.2/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.2/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
