The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.4.4 release! This release is a security and bug fix release resolving many portability issues found in the prior Squid releases. The major changes to be aware of: * CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities. * Bug #4029: intercepted HTTPS requests bypass caching checks This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server. * Bug #4026: SSL and adaptation_access on aborted connections When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased. * Bug #3969: credentials caching for Digest authentication This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid. * Bug #3769: client_netmask not evaluated since Comm redesign This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored. * Bug #3186 and #3628: Digest authentication always sending stale=false These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry. * Several portability issues have also been resolved The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based. All users of Squid-3.4 with HTTPS traffic are urged to upgrade to this release as soon as possible. All users of Squid-3.4 are encouraged to upgrade to this release as soon as possible. All users of older Squid versions are encouraged to upgrade as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html when you are ready to make the switch to Squid-3.4 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
