[squid-users] Squid 3.3.12 is available

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 11 Mar 2014 17:40:28 +1300

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.3.12 release!

This release is a security fix release resolving several major issues
found in the prior Squid releases.

    REMINDER: This and older releases are already deprecated by
              Squid-3.4 availablility.

The major changes to be aware of:

* CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump

  http://www.squid-cache.org/Advisories/SQUID-2014_1.txt

This problem occurs in SSL-Bumped traffic and most severely when using
server-first bumping. It allows any client who can generate HTTPS
requests to perform a denial of service attack on Squid.

There are popular client software implementations which generate
HTTPS requests and triggering this vulnerability during their
normal activities.

* Bug #4026: SSL and adaptation_access on aborted connections

When performing adaptation on SSL traffic it was possible for a trusted
client to crash Squid. This was only possible during the very narrow
time of selecting which adaptation service(s) to perform, so the
security impact is very unlikely. However in configurations using slow
ACL tests or external ACL helpers the risk is much increased.

* Bug #3806: Caching responses with Vary header

This bug was causing Squid to store all responses normally but MISS on
traffic involving the Vary header. The result is a high churn on cached
content combined with a very low HIT rate.

* Bug #3769: client_netmask not evaluated since Comm redesign

This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.

* Bug #3969: credentials caching for Digest authentication

This bug resulted in Digest authentication incorrectly authenticating
requests against the wrong user credentials and forcing
re-authentication. While this fail-closed behaviour is safe from a
security viewpoint it can result in large bandwidth usage on affected Squid.

 See the ChangeLog for the full list of changes in this and earlier
 releases.

 All users are urged to upgrade as soon as possible.

Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go". We are still removing the infamous "Bungled
Config" halting points and adding checks, so if something is not
identified please report it.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.3/RELEASENOTES.html
when you are ready to make the switch to Squid-3.3

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.3/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.3/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/

Amos Jeffries
Received on Tue Mar 11 2014 - 04:40:34 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 12 2014 - 12:00:07 MDT