The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.23 release! This release is a security and bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2016:10 Information disclosure in Collapsed Forwarding <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt> This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. This problem only affects Squid configured to use the Collapsed Forwarding feature. It is of particular importance for HTTPS reverse-proxy sites with Collapsed Forwarding. This problem is present on all 3.5 releases, though 3.5.22 is hit worst due to the collapsed revalidation extension increasing the scope of traffic which can be collapsed. * SQUID-2016:11 Information disclosure in HTTP Request processing <http://www.squid-cache.org/Advisories/SQUID-2016_11.txt> This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. This vulnerability is present in all Squid-3.1 and later versions. The only known workaround is to prevent caching entirely, which is far from ideal. * Bug #4169: HIT marked as MISS when If-None-Match does not match * Bug #3940: Host verify failures MISS when they should be HIT * Bug #3533: Cache still valid after HTTP/1.1 303 See Other * Bug #2258: bypassing cache but not destroying cache entry These bugs all share a common thread of reducing cache efficiency. This Squid will now leave existing cache content in place for use unless the new client response is able to be shared with other clients. Some of these bugs are only partially fixed so further improvements may be possible. * HTTP/1.1: make Vary:* objects cacheable Under RFC 2616 responses containing "Vary: *" header were not cachable. That requirement has been loosened by RFC 7231 and Squid is now able to cache these responses. * ssl::server_name ACL badly broken since inception The original server_name code mishandled all SNI checks and some rare host checks. This was most visible with the reports that the ssl::server_name ACL tests would fail where the equivalent regex ACL test would behave differently, usually by matching. Or in situations where neither would match despite the value appearing to be available. * TLS: Make key= before cert= an error instead of quietly hiding the issue Previous versions of Squid would accept the TLS/SSL key= parameter being configured first before cert= parameter. But would then silently discard the key settings when loading the cert file. This would lead to unexpected behaviour or obscure 'permission' errors. This release will now produce a FATAL error and halt if configured with a key= parameter before its matched cert= parameter. All users of Squid-3 are urged to upgrade to this release as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
