Search squid archive

Squid 3.5.9 RPM are available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Since it's a security release I will not write an article this time.
But I am happy to release the new RPMs for squid cache 3.5.9.

In this release the major thing is a security update while I have ECAP support for the CentOS 7 RPMs. It is now a requirement for squid on CentOS 7 to have libecap libs installed which are available thru the Squid RPM REPO[http://wiki.squid-cache.org/KnowledgeBase/CentOS].

It is advised to update into the 3.5.9 if you are using ssl-bump.

Eliezer

On 21/09/2015 13:43, Amos Jeffries wrote:
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.9 release!


This release is a security and bug fix release resolving issues found in
the prior Squid releases.


The major changes to be aware of:


* SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
   processing

These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service and all
other services on the same machine.

However, the bugs are exploitable only if you have configured a
Squid-3.5 listening port with ssl-bump.

The visible signs of these bugs are a Squid crash or high CPU usage.
Skype is known to trigger the crash and/or a small amount of extra CPU
use unintentionally. Malicious traffic is possible which could have
severe effects.


* Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords

The SMB LanMan authentication helper in Squid-3.2 and later has been
rejecting valid user credentials.

Reminder: Use of this helper is deprecated. We strongly recommend
against using it. LanMan authentication gives the illusion of
transmitting NTLM protocol while actually transmitting username and
password with crypto algorithms that can be decoded in real-time (this
helper relies on that ability). The combination makes it overall less
secure than even HTTP Basic authentication.


* TLS: Support SNI on generated CONNECT after peek

When Squid generates CONNECT requests it will now attempt to use the
client SNI value if any is known.

Note that SNI is found during an ssl_bump peek action, so will only be
available on some generated CONNECT. Intercepted traffic will always
begin with a raw-IP CONNECT message which must pass access controls and
adaptations before ssl_bump peek is even considered.


* Quieten UFS cache maintenance skipped warnings

This resolves the log noise encountered since the 3.5.8 release when
large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.



  All users of Squid are urged to upgrade to this release as soon as
possible.


  See the ChangeLog for the full list of changes in this and earlier
  releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
   "squid -k parse" is starting to display even more
    useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v3/3.5/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
_______________________________________________
squid-announce mailing list
squid-announce@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-announce


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux