The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.0.11 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * HTTP/1.1: unfold mime header block HTTP/1.0 allowed headers to be whitespace folded, which can lead to problems like CVE-2016-4553 fixed in the previous release. RFC 7230 for HTTP/1.1 now prohibits the practice and requires proxies to remove the folding. This release of Squid does so and thus hardens all HTTP traffic flowing through it against such attacks. The squidclient tool -H option has also been extended to accept more shell-escape characters which are useful in testing for those type of issues. * HTTP/1.1 chunked encoding improvements - Bug #4492: chunked parser needs to accept BWS after chunk size This fixes issues interoperating with IBM servers which have been identified as sending whitespace padding in the chunked encoding size field when they should not. - Allow chunking the last HTTP response on a connection. Previous Squid did not use chunked encoding when prior knowledge indicated that the connection was to be closed immediately after the message payload. This made some sense in reducing workload and delays, but also leads to difficulty identifying connection related errors sending those objects. Squid will now always chunked encode messages with unknown length payloads. This should reduce the number of unexpectedly hung connections or truncated objects. * TLS improvements This release adds significant performance improvements to the SSL-Bump features 'peek' action locating client handshake details such as SNI. Initial experimental GnuTLS support for some functionality within the squid binary has been turned on. squid.conf settings which have been renamed in Squid-4 to begin with 'tls' rather than 'ssl' moniker have GnuTLS support as well as OpenSSL support. However, be aware that only a very limited set of background actions actually use GnuTLS. The most visible effect is squid.conf support. Features such as listening https_port's, ssl-bump and TLS connections still require OpenSSL. * ie_refresh directive is removed This directive was a workaround hack for MSIE 3, 4 and 5 behaviour. Since those browser versions appear to be no longer in any significant amount of use this hack has been removed to simplify HTTP message processing. * Deprecating SMB LanMan helpers The SMB LanMan helpers have now been removed from the set which are auto-detected and built by default. For the present their code is retained and can be built by explicitly listing "SMB_LM" in the Basic or NTLM authentication helpers list. The LanMan authentication protocols were deprecated sometime around 1996. Any installations still using either of these helpers are strongely encouraged to upgrade to another authentication system. * Memory allocation bugs Several more issues in the deep memory allocation layer of Squid have been resolved. Most of these probably show up as error when free'ing memory. We expect this to greatly stabilize Squid-4 in many environments which have had memory related troubles with the Squid-3 series. All users of Squid-4.0.x are encouraged to upgrade to this release. All users of Squid-3 are encouraged to test this release out and plan for upgrades where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
