The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.9 release! This release is a security release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2019:6 Multiple Cross-Site Scripting issues in cachemgr.cgi (CVE-2019-13345) The previous fix for this issues turned out to be incomplete. An additional parameter has been identified as containing the same set of XSS issues. See the advisory for updated patches: <http://www.squid-cache.org/Advisories/SQUID-2019_6.txt> Please note that cachemgr.cgi tool is deprecated. All users of this tool are advised to plan migration to the HTTP manager API provided by current Squid proxies. * SQUID-2019:7 Heap Overflow in URN processing (CVE-2019-12526) This allows a malicious client to write a substantial amount of arbitrary data to the heap. Potentially gaining ability to execute arbitrary code. On systems with memory access protections this can result in the Squid process being terminated unexpectedly. Resulting in a denial of service for all clients using the proxy. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2019_7.txt> * SQUID-2019:8 Multiple Issues in URI processing (CVE-2019-12523, CVE-2019-18676) Any remote client may access resources which should be restricted and not available to them. Such as those protected behind client IP ACLs. Attacker could also gain access to manager services when Via header is turned off. Any remote client can perform a Denial of Service on all other clients using the proxy. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2019_8.txt> * SQUID-2019:9 Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677) This issue allows attackers to hide origin servers for phishing attacks or malware download URLs. This issue is restricted to proxies with append_domain configured. It is relatively easy for attackers to probe and determine whether a target network proxy has this directive along with its value. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2019_9.txt> * SQUID-2019:10 HTTP Request Splitting in HTTP message processing (CVE-2019-18678) This issue allows attackers to smuggle HTTP requests through frontend software to a Squid which splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches between client and Squid with attacker controlled content at arbitrary URLs.. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor any upstream servers. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2019_10.txt> * SQUID-2019:11 Information Disclosure in HTTP Digest Authentication (CVE-2019-18679) Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2019_11.txt> * Bug 4966: Lower cache_peer hostname This shows up as a DNS failure to resolve the peer name if it was configured with any upper case characters. The change to always lower-case peer names may affect configurations relying on mixed case instead of the name= parameter to allow multiple entries for a peer name and port. It may also affect configurations using mixed or upper-case peer names with the peername or peername_regex ACL type. Admin using these configurations should take extra care when upgrading as the ACL may not provide any warnings before starting to non-match for a peer. * TLS: Multiple SSL-Bump fixes This release brings multiple important fixes to how Squid SSL-Bump features parse TLS traffic and interacts with the certificate validation helper(s). The issues solved show up as TLS protocol failures with no indication from TLS traffic trace of any invalid data; or sometimes connection timeouts. Unfortunately those same effects may come from many other causes as well which may not be fixed yet. This version of Squid should now be considered the minimum supported for debugging TLS protocol weirdness when using SSL-Bump or related features. * TLS: Fix expiration of self-signed generated certs to be 3 years The certificate generator previously was generating certificates slightly short of 3 years expiry timestamp. This is perfectly valid, but may be surprising for systems expecting a multiple of years. This release generates new certificates with the updated time period. Old certificates will continue to be used with the old period until they expire, or are discarded from the certificate cache. * TLS: Fix on_unsupported_protocol tunnel action Instead of tunneling traffic, a matching on_unsupported_protocol "tunnel" action resulted in a Squid error response sent to the client (or, where an error response was not possible, in a connection closure). * Fix several rock cache_dir corruption issues Previous design of the rock storage system means that rock caches may become littered with incomplete objects, or objects with incorrect final chunk. Data protection measures will normally catch these and report metadata mismatches. However there is a possibility some responses may be delivered. It is recommended that users with cache_dir rock configured perform a cache erase and rebuild procedure during or shortly after upgrading. <https://wiki.squid-cache.org/SquidFaq/ClearingTheCache> All users of Squid are urged to upgrade as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
