The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.4 release! This release is a security and bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-1018:4 Cross-Site Scripting issue in TLS error processing http://www.squid-cache.org/Advisories/SQUID-2018_4.txt This problem allows a malicious HTTPS server to trigger error page delivery to a client and also inject arbitrary HTML code into the resulting error response. This problem is limited to Squid built with TLS / SSL support. * SQUID-2018:5 Denial of Service issue in SNMP processing. http://www.squid-cache.org/Advisories/SQUID-2018_5.txt This problem allows a remote attacker to consume all memory available to the Squid process, causing it to crash. In environments where per-process memory restrictions are not enforced strictly, or configured to large values this may also affect other processes operating on the same machine. Leading to a much worse denial of service situation. This problem is limited to Squid built with SNMP support and receiving SNMP traffic. * Bug 4893: Malformed %>ru URIs for CONNECT requests This bug showed up as "://host:port" URLs being logged for some CONNECT transactions in Squid-4.2 and 4.3. This release reverts Squid to the previous log output. * Fix %USER_CA_CERT_xx and %USER_CERT_xx Previous Squid-4 would crash when these macros where used to pass values to external ACL helpers. This issue is now fully resolved. * Support compilation with minimal OpenSSL Squid would not build successfully against an OpenSSL library which had itself been built to omit deprecated features and API. This Squid release should build in these minimized environments. All users of Squid-4 are urged to upgrade as soon as possible. All users of Squid-3 are encouraged to upgrade where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
