The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-5.0.2 beta release! This release is a security and feature update release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2019:12 Multiple issues in ESI Response processing (CVE-2019-12519, CVE-2019-12521) These problems allow a remote server delivering certain ESI response syntax to trigger a buffer overflow. On systems with heap overflow protection overflow will shutdown the proxy causing a denial of service for all clients accessing the Squid service. On systems with ESI buffer pooling (the default) overflow will truncate portions of generated payloads. Poisoning the HTTP response cache with corrupted objects. The CVE-2019-12519 issue also overwrites arbitrary attacker controlled information onto the process stack. Allowing remote code execution with certain crafted ESI payloads. These problems are restricted to ESI responses received from an upstream server. Attackers have to compromise the server or transmission channel to utilize these vulnerabilities. See the advisory for updated patches: <http://www.squid-cache.org/Advisories/SQUID-2019_12.txt> * SQUID-2020:4 Multiple issues in HTTP Digest authentication. (CVE-2020-11945) Due to an integer overflow bug Squid is vulnerable to credential replay and remote code execution attacks against HTTP Digest Authentication tokens. When memory pooling is used this problem allows a remote client to replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. When memory pooling is disabled this problem allows a remote client to perform remote code execution through the free'd nonce credentials. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2020_4.txt> * SQUID-2019:11 (CVE-2019-18679) complete fix The initial patch for this vulnerability significantly hardened against attacks. However it was still possible for an attacker to gain information over time about a Squid instance. This release completely removes that possibility. * Bug 5030: Negative responses are never cached This bug shows up as cacheable 4xx and 5xx responses not being cached despite negative_ttl configuration. This release brings 4xx and 5xx responses inline with the expected caching behaviour. * Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs Please note that as of this fix cache.log and stderr output from several Squid processes has changed significantly. All output from the Squid master process is now delivered to its stderr and logged by the OS according to kernel policy for daemons. Typically that means the kernel 'messages' log and/or system boot log. This includes all information logged during the lifetime of the Squid instance by the master process. All output from the coordinator and kid processes is logged to cache.log. cache.log is opened slightly earlier than in previous Squid releases, and information logged prior to its opening is no longer logged. * High precision time units This feature addition to squid.conf allows some configuration options to accept high precision (nanosecond) resolution settings. At this time most settings are left with their existing range of values. Changes are detailed in the release notes for altered directives. All users of Squid-5 are urged to upgrade as soon as possible. All users of Squid-4 and older are encouraged to plan for upgrade. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v5/RELEASENOTES.html when you are ready to make the switch to Squid-5 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
