The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.4 release! This release is a security and bug fix release resolving several critical issues found in the prior Squid releases. The major changes to be aware of: * CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation http://www.squid-cache.org/Advisories/SQUID-2015_1.txt The bug is important because it allows remote servers to bypass client certificate validation. Some attackers may also be able to use valid certificates for one domain signed by a global Certificate Authority to abuse an unrelated domain. However, the bug is exploitable only if you have configured Squid to perform SSL Bumping with the "client-first" or "bump" modes of operation. Sites that do not use SSL-Bump are not vulnerable. A squid.conf workaround is available for quick use and those unable to upgrade. See the Advisory notice for details. * Add server_name ACL matching server name(s) obtained from various sources This ACL type allows SSL-Bumped traffic to match on the best available server name information. Taking its value from CONNECT URI, TLS SNI, or Server X509 cetificate depending on which the current stage of TLS processing makes available. It is designed for use primarily for deciding ssl_bump logic based on server domain name. Unlike dstdomain it does not perform rDNS lookup when presented with a raw-IP address. * Support for resuming TLS sessions TLS and SSL contain a session resume feature which does not supply X509 certificates for Squid to mimic during the decryption. Previously Squid has had to abort these connections, causing various client errors. This release brings support for automatic splicing of resumed TLS sessions. Bumping is not possible due to lack of certificate information, and the old behaviour of responding with an error is causing too many complaints. * Basic support for ALPN and NPN TLS extensions These TLS extensions are required to correctly splice or bump port 443 traffic now the port is being heavily overloaded for use by non-HTTPS protocols wrapped in TLS. When bumping Squid negotiates for HTTP/1.1 over TLS (HTTPS) to be the protocol used by both server and client so that Squid can process it. * Multiple SSL-Bump related crashes Several different causes of assertion failure when performing SSL-Bump have been fixed. * Add Kerberos support for MAC OS X 10.x Support for Apple custom Kerberos implementation is added in this release. All users of Squid-3.5 with SSL-Bump features are urged to upgrade to this release as soon as possible. All users of Squid are encouraged to upgrade to this release as time permits. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
