The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.19 release! This release is a security and bug fix release resolving several vulnerabilities and issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2016:7 - Cache poisoning issue in HTTP Request handling http://www.squid-cache.org/Advisories/SQUID-2016_7.txt aka. CVE-2016-4553 Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning. * SQUID-2016:8 - Header smuggling issue in HTTP Request processing http://www.squid-cache.org/Advisories/SQUID-2016_8.txt aka. CVE-2016-4554 This problem allows a client to smuggle Host header value past same-origin security protections to cause Squid operating as interception or reverse-proxy to contact the wrong origin server. Also poisoning any downstream cache which stores the response. However, the cache poisoning is only possible if the caching agent (browser or explicit/forward proxy) is not following RFC 7230 processing guidelines and lets the smuggled value through. Note that all releases of Squid up to and including this one do not follow that recently added RFC guideline. * SQUID-2016:9 - Multiple Denial of Service issues in ESI. http://www.squid-cache.org/Advisories/SQUID-2016_9.txt aka. CVE-2016-4555 and CVE-2016-4556. These problems allow a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service. Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering one or more of these issues. * Bug 4498: URL-unescape the login-info after extraction from URI This bug shows up as the encoded form of credentials that are URL-escaped being delivered to the authentication helpers or relayed to FTP servers if in ftp:// URL when the un-escaped form is needed. It commonly affects credentials which contain characters other than plain ASCII alphanumerics. * TLS: Fix SSL alert message and session resume handling Pevious Squid did not handle SSL/TLS server responses that start with an SSL Alert Record and also fails to detect and handle resuming sessions. * Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program Previous Squid would always send the "-b" command line option to its certificate generator helper. If the installation was using a custom helper, this could lead to very annoying issues. All users of Squid-3 or older are urged to upgrade to this release as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce