On 4/02/20 12:54 am, Amos Jeffries wrote: > The Squid HTTP Proxy team is very pleased to announce the availability > of the Squid-4.10 release! > > > This release is a security release resolving several issues found in > the prior Squid releases. > > > The major changes to be aware of: > > > * SQUID-2020:1 Improper Input Validation issues in HTTP Request > processing > (CVE-2020-8449, CVE-2020-8450) > > This issue allows attackers to perform denial of service on the > proxy and all clients using it. > > This issue potentially allows attackers to bypass security access > controls in systems between client and proxy. > > This issue potentially allows remote code execution under the > proxy low-privilege level. While restricted, it does have access > to a wide range of information about the network structure and > other clients using the proxy. > > This issue is limited to Squid acting as a reverse-proxy. Some > effects also require allow_direct permissions. > > See the advisory for updated patches: > <http://www.squid-cache.org/Advisories/SQUID-2020_1.txt> > > > Please note that NTLM is a deprecated authentication mechanism. > All users of this tool are advised to plan migration to > Negotiate/Kerberos authentication. > Apologies. This note was supposed to be under SQUID-2020:3 issue. The issue(s) above are not related to NTLM. > > * SQUID-2020:2 Information Disclosure issue in FTP Gateway. > (CVE-2019-12528) > > Certain FTP server responses can result in Squid revealing > random amounts of memory content from heap. > > When Squid mempools feature is enabled the leak is limited to > lines in FTP directory listings, possibly from other clients. > > When mempools is disabled the information may be anything from > the heap area including information from other processes on the > machine. > > See the advisory for more details: > <http://www.squid-cache.org/Advisories/SQUID-2020_2.txt> > > > * SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper. > (CVE-2020-8517) > > This problem is limited to installations using the ext_lm_group_acl > binary (previously shipped as mswin_check_lm_group). > > Due to incorrect input validation the NTLM authentication > credentials parser in ext_lm_group_acl may write to memory > outside the credentials buffer. > > On systems with memory access protections this can result in > the the helper process being terminated unexpectedly. Resulting > in Squid process also terminating and a denial of service for > all clients using the proxy. > > See the advisory for more details: > <http://www.squid-cache.org/Advisories/SQUID-2020_3.txt> > > > * Bug 5008: SIGBUS in PagePool::level() with custom rock slot size > > This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The > issues was incorrect memory alignment with certain cache sizes. This > Squid release now forces alignment of the critical rock page details. > > > * Bug 4735: Truncated chunked responses cached as whole > > This bug shows up as clients getting the cached truncated response > objects until the cache object expires or is force removed. > > In absence of partial-object caching this Squid release treats > incomplete responses as non-cacheable and prevents the chunked encoding > terminator chunk being delivered to the active client(s). > > > * Fix server_cert_fingerprint on cert validator-reported errors > > This bug shows up as a server_cert_fingerprint ACL mismatch when > sslproxy_cert_error directive was applied to validation errors reported > by the certificate validator, because the ACL could not find the server > certificate. > > > All users of Squid are urged to upgrade as soon as possible. > > > See the ChangeLog for the full list of changes in this and earlier > releases. > > Please refer to the release notes at > http://www.squid-cache.org/Versions/v4/RELEASENOTES.html > when you are ready to make the switch to Squid-4 > > This new release can be downloaded from our HTTP or FTP servers > > http://www.squid-cache.org/Versions/v4/ > ftp://ftp.squid-cache.org/pub/squid/ > ftp://ftp.squid-cache.org/pub/archive/4/ > > or the mirrors. For a list of mirror sites see > > http://www.squid-cache.org/Download/http-mirrors.html > http://www.squid-cache.org/Download/mirrors.html > > If you encounter any issues with this release please file a bug report. > http://bugs.squid-cache.org/ > > > Amos Jeffries > _______________________________________________ > squid-announce mailing list > squid-announce@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-announce > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
