The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.6 release! This release is a security and bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2015:2 Improper Protection of Alternate Path http://www.squid-cache.org/Advisories/SQUID-2015_2.txt Squid when passing a CONNECT request to a cache_peer blindly passes the response back to the client. This can result in further requests on the connection bypassing all access controls or routing configuration in the gateway proxy that would otherwise have been applied. The default settings of Squid protect most sites against this. However certain known network topologies require the configuration which is vulnerable. * Regression Bug 4193: Memory leak on FTP listings Recent releases have been leaking a small amount of memory on every successful FTP directory listing. That has now been resolved. * Bug 3329: The server side pinned connection is not closed properly Squid internal state for remotely closed server connections was not updated correctly. Which may result in pinned client connections hanging until a timout, then abort being applied unexpectedly to an unrelated connection. * Bug 3875: bad mimeLoadIconFile error handling This bug represented a small collection of errors possible when loading icon files during startup. They may have resulted in various secondary errors later as the icons were used. Squid will now log such failures on startup and respond to requests with 204 (No Content) when the icon is requested. * Bug 4183: segfault when freeing https_port clientca on reconfigure or exit. This bug would appear on reconfigure when squid.conf contained the http(s)_port clientca= parameter. * Bug 3483: assertion failed store.cc:1866: 'isEmpty()' This bug appeared randomly after Squid crashed, was shutdown with short timeouts, or encountered various cache access issues (including bug 3875 above). While some of these causes still exist, this release treats the resulting error properly as a SWAPFAIL and continues operation instead of aborting with assertion. * TLS: Disable client-initiated renegotiation Current OpenSSL libraries protect against renegotiation already. Squid does not renegotiate which avoids the specific CVE-2009-3555 issue. Use of only the latest TLS protocol (as per Best Current Practice) also protects against these effects. However, Client-initiated TLS/SSL renegotiation could still result in Denial of Service vulnerability for some libraries and configurations. This further hardens against the SSL protocol flaw by rejecting client attempts to renegotiate security protocol after initial TLS/SSL client handshake has completed. This change only has effect when Squid is built against libraries which allow vulnerable forms of renegotiation. Or when Squid is configured to allow SSLv3 downgrade renegotiation. Note that SSLv3 downgrade from TLS is still permitted, but only before initial client handshake has completed. * Fix CONNECT failover to IPv4 after trying broken IPv6 servers This bug affects Squid attempting to open a TCP connection to a server over broken IP connectivity. When the initial attempt times out Squid would respond to the client with an error instead of attempting further IPs. Note that only broken IP connectivity is required to trigger this bug. That break may exist connecting to an IPv4 server or cache_peer. It is currently more common in IPv6 connections due to explicit sysadmin breakage "disabling" IPv6. * Use relative-URL in errorpage.css for SN.png The errorpage.css default file has previously been required due to technical problems to use an absolute-URL to reference the default error message Squid icon. With the current generation of browsers CSS3 behaviour and bug 4132 fixed in the prevous 3.5 release this requirement is lifted. As of the current release Squid default error page icon uses a relative-URL relating to the stored icon file published and installed with the Squid generating the error page (or any intervening Squid proxy closer to the client). Resolving privacy information leak worries that have been presented by some sysadmin. All users of Squid are urged to upgrade to this release as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce