The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.11 release! This release is a security release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2019:12 Multiple issues in ESI Response processing (CVE-2019-12519, CVE-2019-12521) These problems allow a remote server delivering certain ESI response syntax to trigger a buffer overflow. On systems with heap overflow protection overflow will shutdown the proxy causing a denial of service for all clients accessing the Squid service. On systems with ESI buffer pooling (the default) overflow will truncate portions of generated payloads. Poisoning the HTTP response cache with corrupted objects. The CVE-2019-12519 issue also overwrites arbitrary attacker controlled information onto the process stack. Allowing remote code execution with certain crafted ESI payloads. These problems are restricted to ESI responses received from an upstream server. Attackers have to compromise the server or transmission channel to utilize these vulnerabilities. See the advisory for updated patches: <http://www.squid-cache.org/Advisories/SQUID-2019_12.txt> * SQUID-2020:4 Multiple issues in HTTP Digest authentication. (CVE-2020-11945) Due to an integer overflow bug Squid is vulnerable to credential replay and remote code execution attacks against HTTP Digest Authentication tokens. When memory pooling is used this problem allows a remote client to replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. When memory pooling is disabled this problem allows a remote client to perform remote code execution through the free'd nonce credentials. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2020_4.txt> * SQUID-2019:11 (CVE-2019-18679) complete fix The initial patch for this vulnerability significantly hardened against attacks. However it was still possible for an attacker to gain information over time about a Squid instance. This release completely removes that possibility. * Bug 5036: capital 'L's in logs when daemon queue overflows This shows up on proxies which are too busy for the daemon I/O or trying to output very long access.log lines. This but is just an annoyance, all other operations of the proxy remain unaffected but the extra characters can interferes with data processing of the logs. * Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations This bug shows up on caching proxies with multiple SMP workers. The visible symptoms are; - SNMP begins producing errors or NULL values instead of data, - cache manager reports indicate no traffic, or zero values - possibly reduced cache HIT rate * Bug 5016: systemd thinks Squid is ready before Squid listens systemd has been found to still have problems with the recent --foreground behaviour updates. This release adds support for the sd_notify systemd feature to workaround that problem. Please note this automatically adds libsystemd dependency when that library is available on the build machine. To prevent this dependency and retain the existing behavuiour the --without-systemd build option is provided. All users of Squid are urged to upgrade as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
