The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.12 release! This release is a security release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2020:5 Denial of Service when using SMP cache (CVE-2020-14059) This problem may allow a remote client to trigger a Squid worker assertion. This attack is limited to SMP Squids using shared memory cache and/or an SMP rock disk cache. See the advisory for patches: <http://www.squid-cache.org/Advisories/SQUID-2020_5.txt> * SQUID-2020:6 Denial of Service issue in TLS handshake (CVE-2020-14058) This problem allows a trusted client to perform Denial of Service when opening TLS connections with a server for HTTPS. This problem allows a trusted client to perform Denial of Service when opening TLS connections to a server for SSL-Bump intercepted transactions. This attack is limited to Squid built with OpenSSL features and opening peer or server connections for HTTPS traffic and SSL-Bump server handshakes. See the advisory for patches: <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt> * Bug 5041: Missing Debug::Extra breaks build on hosts with systemd A regression was introduced with the fix for bug 5016 in Squid-4.11. Which shows up as build errors when libsystemd dependency is added to enable the systemd notify feature explicitly. This release fixes the regression and actually enables the feature. * Bug 5030: Negative responses are never cached This bug shows up as cacheable 4xx and 5xx responses not being cached despite negative_ttl configuration. This release brings 4xx and 5xx responses inline with the expected caching behaviour. * SslBump: Disable OpenSSL TLSv1.3 support for older TLS traffic Squid SSL-Bump features do not support TLS/1.3 protocol. Previously client or server attempting to use TLS/1.3 would result in "inappropriate fallback" errors negotiating handshakes. This release explicitly detects use of TLS/1.3 and disables it. All users of Squid are urged to upgrade as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
