Search squid archive

Squid 3.2.0.11 is available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.2.0.11 beta release!


This release is a security update and bug fix release resolving many of the regressions found in the prior releases. The details are long, but please read carefully.


* Advisory SQUID-2011:1 also known as CVE-2009-0801

 See the Squid advisory for more details on the problem.
 http://www.squid-cache.org/Advisories/SQUID-2011_1.txt

This release compares the textual representations of URL and Host header for all traffic containing both. In the case of intercepted traffic the client destination IP is also compared to the Host: headers DNS entries. When a contradiction is found Squid will log "SECURITY ALERT: Host: header forgery detected" and respond with a 409 Conflict error page.

NAT interception *MUST* be performed in the same device as Squid. This is no longer optional. NAT lookup failures of any kind also become more important, possibly blocking traffic. At the time of writing we are aware of NAT issues on OpenBSD and systems using IPFW. Help wanted.

This release also passes intercepted traffic through to the original NAT destination by default. client_dst_passthru directive is provided to retain the old Squid behaviour if you require intercepted traffic to pass through cache_peer.

At the time of writing we are also aware of HTTP header issues with the Avira anti-virus updater and are working with the vendor to resolve it. Please contact Avira for an update if this affects you or your clients.



* Advisory SQUID-2011:2 Password truncation in NCSA using DES

The DES algorithm used by the NCSA Basic authentication helper has a limit of 8 bytes but some (not all) library implementations do not error or warn when truncating longer passwords down to this limit.

This both significantly lowers the threshold of difficulty decrypting captured password files and hides from users the fact that the extra bits provided by their chosen long password are not being utilized.

The NCSA helper bundled with Squid will prevent passwords longer than 8 characters being sent to the DES algorithm. The MD5 hash algorithm which supports longer than 8 character passwords is also supported by this helper and should be used instead.

IMPORTANT:
The helper bundled with this release does not warn when rejecting. If you require a transition period to update your systems please use the helper bundled with 3.1.15 release. It warns loudly and possibly often, but allows clients through.



The ACL definitions for manager, localhost and to_localhost are built into this release in the same way the all ACL was built into 3.1 series. You may need to remove the old default values of localhost and to_localhost from your squid.conf. Appending IPs such as the host public IP to localhost ACL is still possible in the same form as before.


Regular expression ACLs have received some optimization updates. ACL definitions with multiple entries are now trimmed and compressed for faster processing. Prefix and suffix wildcards .* are not necessary on regex. Expect to be warned if this type of wildcard trimming is needed.


Virtual hosting support is made the default mode for accelerator proxies. Matching HTTP/1.1 expected defaults. The no-vhost option is added to http_port if you require the old behaviour when the vhost flag was omitted.


This release logs HTTP traffic headers in full at debug level 11,2 along with connection IP:port details for simpler traffic diagnosis. This can be a lot of output on busy proxies. Care should be taken not to flood the logs or disks when debugging.



As usual this release contains all the fixes passed on to 3.1 series alongside its own changes.

See the ChangeLog for the list of other minor changes in this release.


All users interested in 3.2 features are encouraged to assist testing this release.


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html
when you are ready to make the switch to Squid-3.2

Upgrade tip:
"squid -k parse" is starting to display even more useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

      http://www.squid-cache.org/Versions/v3/3.2/
      ftp://ftp.squid-cache.org/pub/squid/
      ftp://ftp.squid-cache.org/pub/archive/3.2/

or the mirrors. For a list of mirror sites see

      http://www.squid-cache.org/Download/http-mirrors.html
      http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
      http://bugs.squid-cache.org/


Amos Jeffries



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux