-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.4.9 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Bug 3803: ident leaks memory on failure Please note that on Squid which have been configured to send IDENT queries to WAN visitors this can become a remotely triggerable security vulnerability. A remote attacker can DoS the Squid service by sending enough HTTP traffic from hosts not responding to IDENT that the memory leak overwhelms the Squid server. IMPORTANT: Correct configuration of IDENT in Squid includes ident_access ACLs limiting IDENT queries to being sent only to LAN (localnet) clients. * Bug 4102: ssl_bump certificate contains only a dot character in key usage extension The previous fix for bug 3966 was incorrect. SSL-bump generated certificates would display with valid version for key exytensions to exist but have a single "." character as the key extension field contents. There have been reports that this fix is still incomplete and there may be further fixes needed on top of this one. However this fix alone resolves browser issues with many websites using simple key extensions. * Bug 4088: memory leak in external_acl_type helper This bug would appear as a memory leak if an external_acl_type helper is configured with either of the cache=0, ttl=0 or negative_ttl=0 options. Leaked bytes amounted to the size of the helper lookup, response and HTTP request headers on any helper lookups which were not cached - that could be several MB per minute on a busy proxy. * Bug 4024: Bad host/IP ::1 when using IPv4-only environment This bug would show up as a fatal configuration error processing the default ::1 localhost address on a system with IPv6 completely disabled in the host DNS resolver library. NOTE WELL: disabling IPv6 entirely violates the Internet standard BCP 177 "IPv6 Support Required for All IP-Capable Nodes". HTTP is one of the protocols where IP addresses are embeded in the layer-3 protocol syntax. There are no guarantees of correct proxying operation if the system underlying Squid prevents it correctly interpreting IPv6 elements within HTTP messages. All users of Squid with IDENT are urged to upgrade to this release as soon as possible. All users of Squid with SSL-bump are urged to upgrade to this release as soon as possible. All other users of Squid are encouraged to upgrade to this release as time permits. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html when you are ready to make the switch to Squid-3.4 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUWFlUAAoJELJo5wb/XPRjG8QH/Rl1mT/kdqn/Flvl3sDWpF4c l1ixeK+nMgQLPBnKg1unk/K68sI/E4wxfP2oJHWmz57DGy5QfuykMnfQRU+hAFKZ Zez9Odd8q8yJdo+KIZB3IBq7yUEY8hGKEO27scxSUijRN1P6Enp4BcN8HpMOKD0m U1PYHiDgL0Lha11UUFsvtBUiNicWInB5YXG9V3fYmDC7nU6Szrd2TSM09dg9Ltut 1tKmGsP0ZLJocWE6Pbq3QsYnlakhGNZaFdDuECqZ3y6mEThSyTjJyC61At0RKsy3 hkyb9RgaWRTytAuePH6ex3brkE6Y5YctLfKJAL1DtpUXLDupwsvZdUhzb+UJuPQ= =vtsq -----END PGP SIGNATURE----- _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce