We have uncovered the presence of a serious bug in squid-3.1
miss_access directive recently.
http://bugs.squid-cache.org/show_bug.cgi?id=3326
The result of this bug is that configuration file settings for
miss_access are ignored by all Squid-3.1 releases up to and including
3.1.15.
The fix has been applied to 3.1 and once our mirrors pick it up the
patch can be found at:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10373.patch
If you need to use this directive for anything you will need to apply
the patch or obtain an updated version of Squid.
This only affects users who have been accepted past the http_access
security controls. So is not currently believed to be serious enough for
a full advisory. If you know of any situation which would change our
mind on that please inform.
Amos
