The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-5.0.4 beta release! This release is a security and feature update release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2020:8 HTTP(S) Request Splitting (CVE-2020-15811) This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. See the advisory for patches: <https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv> * SQUID-2020:9 Denial of Service processing Cache Digest Response (CVE pending allocation) This problem allows a trusted peer to deliver to perform Denial of Service by consuming all available CPU cycles on the machine running Squid when handling a crafted Cache Digest response message. This attack is limited to Squid using cache_peer with cache digests feature. See the advisory for patches: <https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg> * SQUID-2020:10 HTTP(S) Request Smuggling (CVE-2020-15810) This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. See the advisory for patches: <https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m> * Add http_port sslflags=CONDITIONAL_AUTH This release extends the client certificate features to allow optional certificate authentication. The existing DELAYED_AUTH flag would delay the certificate request, then reject all clients who cannot present a valid certificate on request. With CONDITIONAL_AUTH Squid will just request and validate SSL client certificates. Any rejection or use of those certificates is left to other configuration settings. * Improved CONNECT tunnel handling This release contains several small but important changes to how Squid handles CONNECT tunnels opened with servers. Particularly in cases of server TCP connection failure and switching between upstream peers. A lot of annoying on_unsupported_protocol and HTTPS forwarding behaviour issues with previous releases should be resolved by these changes. All users of Squid-5 are urged to upgrade as soon as possible. All users of Squid-4 and older are encouraged to plan for upgrade. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v5/RELEASENOTES.html when you are ready to make the switch to Squid-5 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
