[squid-announce] Squid 3.5.0.1 beta is available

2014-10-20 Thread Amos Jeffries 
ally purged from the code.

Rock store has been available for several versions, with COSS
operation broken for even longer. This version brings >32KB object
support to Rock store and thus removes the last potential need for COSS.

 * DNS helper API and dnsserver are officially purged from the code.

mDNS support has been available since Squid-3.4 and has no bug reports
across the entire series. Thus passing our criteria for stable, and
demonstrating the lack of need for the DNS helper.


All users are encouraged to give this Squid release a test run as soon
as time permits. All feedback welcome.


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
if and when you are ready to make the switch to Squid-3.5

This new release can be downloaded from our HTTP or FTP servers

http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/

Amos Jeffries
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJURenYAAoJELJo5wb/XPRjmqkH/2QMa0hvye7PtkxGK0+sfec4
K7WiJXpr5z+x/8v/mxg5blU4O2MyAqbE5T1liVUyKTKNXBpO7x73gn50JpykXAIZ
D7tQadq4HVjpbUJkNyZikt1ez7/HcKx3bF0RZKwxbg8khrJe/Ufh4gWhPaef03V2
xCXjEZpYf9DQgewZvGb2YHk35nq5f4Uz7DEthmdmpHFmojbmfDrP7nIBhdV0TjoE
EVYmCKPvAkLfRxr1OJlGo7rECwFb1ERpbRIPM86kJMwah0a+jti2guR6FAJtjyCz
x1ak+SKV+isiJ9Qgusb6VXqrupH4iZNSjZQPTtSQnlt9psn9+tlm6TwLtJcqZDg=
=Ram6
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.4.9 is available

2014-11-03 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.9 release!


This release is a bug fix release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


* Bug 3803: ident leaks memory on failure

Please note that on Squid which have been configured to send IDENT
queries to WAN visitors this can become a remotely triggerable
security vulnerability. A remote attacker can DoS the Squid service by
sending enough HTTP traffic from hosts not responding to IDENT that
the memory leak overwhelms the Squid server.

IMPORTANT: Correct configuration of IDENT in Squid includes
ident_access ACLs limiting IDENT queries to being sent only to LAN
(localnet) clients.


* Bug 4102: ssl_bump certificate contains only a dot character in key
usage extension

The previous fix for bug 3966 was incorrect. SSL-bump generated
certificates would display with valid version for key exytensions to
exist but have a single "." character as the key extension field contents.

There have been reports that this fix is still incomplete and there
may be further fixes needed on top of this one. However this fix alone
resolves browser issues with many websites using simple key extensions.


* Bug 4088: memory leak in external_acl_type helper

This bug would appear as a memory leak if an external_acl_type helper
is configured with either of the cache=0, ttl=0 or negative_ttl=0
options. Leaked bytes amounted to the size of the helper lookup,
response and HTTP request headers on any helper lookups which were not
cached - that could be several MB per minute on a busy proxy.


* Bug 4024: Bad host/IP ::1 when using IPv4-only environment

This bug would show up as a fatal configuration error processing the
default ::1 localhost address on a system with IPv6 completely
disabled in the host DNS resolver library.

NOTE WELL:
disabling IPv6 entirely violates the Internet standard BCP 177
"IPv6 Support Required for All IP-Capable Nodes".

HTTP is one of the protocols where IP addresses are embeded in the
layer-3 protocol syntax. There are no guarantees of correct proxying
operation if the system underlying Squid prevents it correctly
interpreting IPv6 elements within HTTP messages.



All users of Squid with IDENT are urged to upgrade to this release as
soon as possible.

All users of Squid with SSL-bump are urged to upgrade to this release
as soon as possible.

All other users of Squid are encouraged to upgrade to this release as
time permits.



See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

http://www.squid-cache.org/Versions/v3/3.4/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUWFlUAAoJELJo5wb/XPRjG8QH/Rl1mT/kdqn/Flvl3sDWpF4c
l1ixeK+nMgQLPBnKg1unk/K68sI/E4wxfP2oJHWmz57DGy5QfuykMnfQRU+hAFKZ
Zez9Odd8q8yJdo+KIZB3IBq7yUEY8hGKEO27scxSUijRN1P6Enp4BcN8HpMOKD0m
U1PYHiDgL0Lha11UUFsvtBUiNicWInB5YXG9V3fYmDC7nU6Szrd2TSM09dg9Ltut
1tKmGsP0ZLJocWE6Pbq3QsYnlakhGNZaFdDuECqZ3y6mEThSyTjJyC61At0RKsy3
hkyb9RgaWRTytAuePH6ex3brkE6Y5YctLfKJAL1DtpUXLDupwsvZdUhzb+UJuPQ=
=vtsq
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.4.10 is available

2014-12-10 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.10 release!


This release is a bug fix release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


* Bug 4033: Rebuild corrupted ssl_db/size file

The certificate DB size file may become empty (for reasons beyond Squid
control such as server reboots, and possibly some unknown Squid bugs).
When it becomes empty, all ssl_crtd helpers (and then Squid) quit.


* Fixes Segmentation Fault in ACLUrlPathStrategy::match

This segmentation fault would occur when urlpath_regex ACL was used in
access controls to test transactions where no URL path is available.
 eg CONNECT or OPTIONS requests, some WebDAV requests, etc.


* Fixes Alternate-Protocol header behaviour

Certain servers emit the non-standard Alternate-Protocol header
without listing it as Connection header and popular client software
will attempt to follow its instructions regardless of the presence of
a proxy. This may result in loss of administrative information about
client traffic, increased network bandwidth, unpredictable client
failures, loss of connectivity for the client, information leakage
and/or other security vulnerabilities in experimental protocols.

Squid now handles this non-standard header on the clients behalf and
will cause it to only have any effect if the protocol it instructs to
be used is supported by Squid.


 All users of Squid are encouraged to upgrade to this release as
time permits.



 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUiFqrAAoJELJo5wb/XPRj+aMIAIDo6Mc/vtpkhN5XNwfOmwAD
xyaCv3f/b3CN4VyLjCGvbJ8us+nicuRGlg7IsCxBcICtID4Km1UvZEr6ouOpH6U1
7b/NIm5ftjO2HlcrxO14qLMGNCslkk60ByVCVk6vPA1aqnC5L+kujCyC9azqJS8a
w5nAtU/pSHdKrOzy9b+Cv83PqXwMXby1KuKALnDAx6o4qMFQVAC/mUQncd9JweCT
Y3PrMA2gC/iqSy1ZhXPeY3eUU6fHjRGh9s6B1nfgj7Okc4vmeL3lMnOINA24FNW4
TVriWwrrNMzNw5yEBLdH4q/wqpVXEZi47ihgk4lOiSEA8phAvC+c2MIA1I7uK1Y=
=eyPH
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.0.4 beta is available

2014-12-20 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid Software Foundation is very pleased to announce the
availability of the Squid-3.5.0.4 beta release!


This release is a bug fix and documentation update release resolving
some major issues found in the prior Squid releases.


The major changes to be aware of:

* Support http_access denials of SslBump "peeked" connections.

This bug shows up with "peek" SSL-Bump operation preventing Squid from
rejecting client connections, and "splice" connections not being
governed by the general access controls.

Starting with this release ssl_bump has the following behaviours:

- - During transparent SSL bumping, if we decide to splice at step1, do
not splice the connection immediately, but create a fake CONNECT
request first and send it through the callout code (http_access check,
ICAP/ECAP, etc.). If that fake CONNECT is denied, the code path
described below kicks in. Otherwise the connection is spliced.

- - When an error page is generated during CONNECT or transparent
bumping (e.g. because an http_access check has failed), we switch to
the "client-first" bumping mode and then serve the error page to the
client (upon receiving the first regular request on the bumped
connection).


* negotiate_kerberos_auth: MEMORY keytab and replay cache support

The Negotiate/Kerberos authentication helper has been updated to
support a MEMORY: keytab. This provides better performance over
previous versions with constant disk access.

Also, the token replay cache is now more configurable. It may be moved
from the default location as needed, or disabled entirely.



* Bug 3826: pt 2: Provide a systemd .service file for Squid

Squid is designed with a built-in daemon manager which clashes in
annoying ways with third-party daemon managers like OpenRC, Upstart,
and systemd. In particular Squid SMP support is not fully operational
under these systems.

This release provides a squid.service file under tools/ for anyone
wishing to package Squid for the systemd environment. It contains
basic signalling rules and command line arguments suitable for
managing this version of Squid via systemd (without SMP support).


* Code style reformatting

Our code style enforcement was not working properly since the Sept
2014 server outage. That has been fixed and along with it several old
bugs in the enforcement code. As a result this release includes a
large amount of style/polishing changes. It is very likely that
patches written for older releases 3.5 will need adjusting.


* Bug fixes shared with 3.4 series

This release also includes several bug fixes shared with the 3.4 stable
series in future 3.4.11 release.


All users of previous 3.5 releases are urged to upgrade to this releas
as soon as possible.

All users of 3.4 and older versions are encouraged to give this Squid
release a test run as soon as time permits. All feedback welcome.


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
if and when you are ready to make the switch to Squid-3.5

This new release can be downloaded from our HTTP or FTP servers

http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/

Amos Jeffries
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlnxVAAoJELJo5wb/XPRjbXwH/0K+dbdvPW/iztgkouzQEgMY
J/ZkFZSMJBhUvcC8euL2EcnzqKoBNLJZ/8C/7k7aQRBQeilwJj++JYIRCrAd6Jlv
LlxYbqQgqOvyltwljuJTnLuZ4f84vBAtB5sPm+jWFDsNpADsKpFJwX5CVkGoA6I7
tVx9J7nE3f/uvyKgeUEbSPIO2uFtJnL0Cf+c1o3cFpwKkyc+ielVIhwJ1VHxB+o0
16F4RIhWl2bqY7w32S/9WUYfJttXMRciQp/Vsgu0IJexOAUMQRQi9zTBWW8Ius67
ce1XvGWak5OlNDSLhpauFc4z8SN8tVqKSEr6alvb5qq0ymX2a1koZZnC+v6qzBc=
=V1Xg
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.4.11 is available

2015-01-14 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.11 release!


This release is a bug fix release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


* "Deleting first fs left psstate->servers pointing to uninitialized
memory"

This obscurely named bug takes the appearance of randomly appearing
high CPU consumption and hanging worker, less commonly a direct crash.
It is not the only cause of overly high CPU usage, but is the major
one now known about in 3.4 series.

This affects all Squid configured with a large number of peers or when
contacting domains with many advertised IP addresses (such as Google
or Facebook).


* Bug #3760: squidclient ignores --disable-ipv6

The squidclient tool would mysteriously attempt to use IPv6 and abort
regardless of IP version probles successfully detecting that protocol
being disabled.

It turns out that Squid has not been correctly filtering out IPv6
results presented by the operating system getaddrinfo() API in the
event that the administrator disabled IPv6 in Squid but not the
operating sytem.

This affects DNS resolution of all domain names when starting and
configuring Squid, but not for regular proxy operational DNS queries.


* Bug #4057: Avoid on-exit crashes when adaptation is enabled.

As the name describes, Squid 3.4.5 and later will crash when shutting
down (or reconfiguring) if adpatation is configued.


* Bug #3754: configure doesnt detect IPFilter 5.1.2 system headers

The Solaris 10 operating system broken IPFilter, both the one built
into Solaris 10 and the publicly available external sources for the tools.

This Squid release includes a hack to workaround that system breakage
and allow Squids part of the IPFilter mechanisms to build and work again.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUt0wtAAoJELJo5wb/XPRjD3gIAJR51FyrE+fnQZ3Nf37A3e5U
sLvcpQClEj9wLPKdg95x+3ocOjvFlRRZgNgTREH50VhGWBooAv5jBgrwnFZ697J5
ikMm9v37R/aTB1rZfsbXswEsedJlb4KqSraiqly963Eicn20uMnEE9NYUHyMlXoW
UeMD6lkRWay5KQZ2LUiyX9Hloiy50qRjuM01QEmeO+p3Lj6X7EqD4u5+zGj5fc23
52HGudftsyOo2Lqv1fmnR3eJMp+6oHD2xqDJB1Nb5Ayngry2ceOTlhD15ZwOcIfK
Xytii0TmLdfnh0Nkg4TWKcPajfCcUJVYVzPW4sQa5d7ZyV3bAa3hVeujqfvRfN0=
=UMfa
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.1 is available

2015-01-17 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.1 release!


This release is we believe, stable enough for general production use.

Support for Squid-3.4 bug fixes has now officially ceased. Bugs in 3.4
will continue to be fixed, however the fixes will be added to the 3.5
series. All users of Squid-3.4 are encouraged to plan for upgrades.


A short list of the major new features is:

 * Collapsed Forwarding (ported from Squid-2.7)
 * eCAP version 1.0 support
 * SSL peek-n-splice
 * Authentication helper query extensions (see auth_param)
 * Caching large (>32KB) objects in Rock storage
 * Extended cache HIT/MISS decision control (see send_hit, store_miss)
 * Support named services
 * Upgraded squidclient tool
 * Helper support for concurrency channels
 * Native FTP protocol relay
 * Initial support for PROXY protocol
 * Basic authentication MSNT helper changes

Several features have been removed in 3.5:

 * COSS storage type has been superceded by Rock storage type.
 * dnsserver helper has been superceded by DNS internal client.
 * DNS helper API has been superceded by DNS internal client.

Further details can be found in the release notes or the wiki.
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
http://wiki.squid-cache.org/Squid-3.5


Please be aware that for the SSL-Bump peek-n-splice feature the
ssl_bump directive configuration has changed. Some testers have found
it may require manual attention to redesign the bumping configuratio
on upgrade. Squid does perform auto-upgrade as best it can, but the
result may not meet the intended policy behaviour.
 http://www.squid-cache.org/Doc/config/ssl_bump/


Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go".

Squid is beginning to enforce stricter configuration file syntax and
case sensitivity in 3.5.


All feature additions are considered *experimental* until they have
survived at least one series of releases in general production use.
Please be aware of that when rolling out features which are new in
this series. Not all use-cases have been well tested yet and some may
not even have been implemented. Assistance is still needed despite the
releases general stability level.


Plans for the next series of releases is already well underway. Our
future release plans and upcoming features can be found at:
http://wiki.squid-cache.org/RoadMap/Squid3


 See the ChangeLog for the full list of changes in this and earlier
 releases.

 All users of Squid-3.5 beta releases are urged to upgrade to this
release as soon as possible.


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUuhkXAAoJELJo5wb/XPRj3aMH/2o9/6gjr+H+kkEpkRZASZQT
m51kl4x0Z520PPpq4apLSGc/92Hj1D0Ac9q7/HFBlNORSrOQdq/gBhLTcdUwo0to
kGVgGt0dYQttMBR7So3EsZ0na1RQFKAdod+tzuLjm20UAobGHy/YUYnv0Xtqb+mm
4bTZYPFQkMpOzFLcn4ulQk165dFv6QgHgrxCscZG7nVqngl1RQBD2ry0j7q20iUm
rsAzR3bR7oWYS9vZd72AgYK3sHd9XkF0vhD/qO0dzDzQH/dXvI1DP1doEZ5KCSdK
28uDRtUNvUklDSRJCwnWMjElliq6Sa9uUc+Wcz+8elgJ0HIgeTQFBZrsmhrHp4o=
=injD
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

Re: [squid-announce] [squid-users] Squid 3.5.1 is available

2015-01-20 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 21/01/2015 8:54 a.m., Ahmad wrote:
> Hello team
> 
> Happy to hear that ,
> 
> But lets focus on the lage rock mode of  squid .
> 
> You mentioned it can cache more than 32 KB data store .
> 
> Is  there a specific directives needed for this distribution ?
> 
> Also u said it cache more than 32KB , wt does that mean ??, will
> the object size be like 512kB ?
> 
> Also , is that on mem object size ? or  hardsis rock object size ?
> 

It means the max-size= parameter of rock cache_dir may now be a value
larger than 32KB if you need it.

Rock is still optimized for small objects, so making max-size=N a very
large value will produce a slow down in performance unless also tuning
the slot size parameter to reduce slot count per object.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUvimDAAoJELJo5wb/XPRjJWsIAKC/NWgpUzLR9rchLIzDtuzp
qumV79DuSzTNQ7oWLUc/HymOdZc8Rc977QN0sp0Qj3oufIYGluculKF4dCBJiECw
5tps5hQodI1QWDChLvjp/ewMM6SMisfBZ7tWMNyHElUDRAjeJZLogPrFe5rpK5t8
Q/BQia806EXeXKwNvfj58ljAc2oDWb8sWtG5TgieqesYPnRAuXbMazYhH2JArQ16
DRuMUNi3HIN8lRT01xvEgji7QlhgNLazN2flG4cmASshtqpD+RrdF8JLNyM879ZS
cWBEjgEg3WmWtLVovgdYd9ytB4biDZ9kX1RDVZlZ9Cnz1uwXVqwDeAWZWMxGYEY=
=vpL9
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.4.12 is available

2015-02-18 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.12 release!


This release is a security fix release resolving several major issues
found in the prior Squid releases.

REMINDER: This and older releases are already deprecated by
  Squid-3.5 availablility.


The major changes to be aware of:


* Bug #3997: Excessive NTLM or Negotiate auth helper annotations

This bug appears whenever NTLM or Negotiate authentication are taking
place. On a busy server the outward appearance is excessive CPU usage
and associated loss of performance, a memory "leak" may also be seen
depending on the size of authentication token. This state appears at
the worst possible moments when users are busy, and disappears some
time after users stop accessing the proxy.

Deepest apologies that this took so long to pin down, and a great
big Thank You to Steve Hill for tracking it down in the end.


* Bug #4066: Digest auth nonce indefinite rollover

This bug prevented the backend authentication system being contacted
to re-verify user credentials after their TTL has expired. Making it
near impossible to kick off an active user by closing their account or
changing password.

Please note that while this does have a security impact it is NOT
being considerd for an advisory with CVE rating since the user has to
properly authenticate before they can abuse this.

A big Thank You to Frederic Bourgeois for tracking this one down.


* Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.

This bug was behind the strange behaviour on some installations where
TOS/Diffserv packet markings were not being performed despite explicit
configuration. Squid is now retaining the needed security permissions.


* Add TLS/SSL option NO_TICKET to http[s]_port

Squid now supports configuration of the TLS session ticket extension.
Specifically disabling it in situations where its undesirable to allow
OpenSSL the feature.




 All users are encouraged to upgrade to the 3.5 series.

 All users of older 3.4 are urged to upgrade to this release as soon
as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU5SfuAAoJELJo5wb/XPRjkoAH/2oCy+NcBYGpv5B70omId8Nr
JkaL0YzDYm2zhPtaSlC8MfVigE8OpA9C95vz2FEvE4/5rMS/6y3Hi1ObWlzPf3N2
iqf7GIuxNo5D200Wzh4j7lMAz+pwEKorK9y+4hssgLfEgkKHp+1SPTGgY3h5HHsP
8TAikJVg40b6pfFihVEyOgYSlMhxYUvehlKt/B6Zm/fUdYu/71xyhp+YG4KK4GYZ
rHRSDzhCFsy/xDSdwjK25fIaPVzl5kQ6poukZ8nkMDKDtfRRGadi/e0pBPlkniN2
pvPkRR1ibqMomO0tAnr9ITu6GNVcPzPhxuUo4Pi+1VYXRN2AJ3Fynx4yPJPUpRw=
=A1g0
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.2 is available

2015-02-18 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.2 release!


This release is a bug fix release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


* Regression Bug #4176: Digest auth too many helper lookups

It was found that the Digest authentication helper was being called to
validate credentials on every client request regardless of an
appropriate TTL or nonce re-use counter being available.

This release decreases CPU usage and improves latency of client
traffic on all installations using Digest authentication.


* SSL-Bump feature transparency improvements

The SSL-Bump feature is now relaying SNI information from the client
to server when performing server-first bumping of intercepted traffic.

The sslproxy_options directive is now no longer being applied to
server connections when peek/stare operations are performed.

Squid will now supply to the external verification helper the missing
root CAs (i.e. fill in the gaps) when validating chains that already
passed internal checks.

Each of these reduces TLS errors induced by the existence of Squid in
the path, making SSL-Bump much more transparent than before.


* Fix some cbdataFree related memory leaks

This resolves some slow memory leaks resulting from the use of
cache_peer. Be aware there are other issues still outstanding which
have the appearance of memory leaks in some installations. If you are
seeing what appears to be a leak this may help, but it also may not be
the whole issue.


* All security fixes from 3.4.12 are also present in this release.



 All users of Squid SSL-Bump feature are urged to upgrade to this
release as soon as possible.

 All users of NTLM or Negotiate (Kerberos) authentication features are
urged to upgrade to this release as soon as possible.

 All users of Squid are encouraged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU5TK5AAoJELJo5wb/XPRjtYcH/35kDtQ5zLgtZ1RScVhPjOnT
KKAkLTru/FGPtaonO/fBDV9t3bwqU1NkzIiBfJ0wodkQaAYpg+/iD0Zs7Mjq5++d
0aXoRWEK7n8Pbx1v9UOzymUgweHQqjBeY9iPaViil1mgg0/V70Gvb6qIVGtGU+Qz
8tTeWb1zl66TxdGm++XUb+3seY4jRPfC6RoarhTj5VB6S3n3YUYqJ3njidWwv/oN
NovSJNDSyB7rZKyOyUodURu74Mi/Qoej39SqlGB3pfp1LVujqQjUYaKPCuRT57/q
527Ni5IShf+k2MOCJYFFcuw9Gy9Of9t1E7p7spbADeNyjFuUvjRsE0ZOpN09kpo=
=UkbJ
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] OpenSSL Advisory 2015-03-19

2015-03-20 Thread Amos Jeffries 
As you may be aware a number of security vulnerabilities have just been
announced regarding OpenSSL.
 <https://openssl.org/news/secadv_20150319.txt>

Several of these potentially impact Squid with Denial of Service and
connection failure side effects when using HTTPS or the SSL-Bump feature
set.

All users of Squid HTTPS and SSL features are advised to restart Squid
after upgrading their OpenSSL library to a fixed version.


There will be no direct Squid advisory regarding this since the
vulnerability is in OpenSSL itself, not Squid.


Amos Jeffries
Squid Software Foundation
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.3 is available

2015-03-30 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.3 release!


This release is a bug fix release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


* Regression Bug #4206: connection close on Expect:100-continue

It was found that large POST and PUT requests using Expect:100-continue
to a Squid-3.5.1 or 3.5.2 would reset the TCP connection instead of
allowing the upload to proceed. The working Squid-3.4 behaviour has now
been restored.


* Regression Bug #4213: negotiate_kerberos_auth segmentation faults

After Squid-3.5.2 updates to the Kerberos support it was found that this
helper was frequently, but not always, encountering a segmentation
fault. That is now fully resolved.

Also fixed in this release is support for the latest Heimdal libraries
and some unused Kerberos related code is no longer built.


* Bug #2907: high CPU usage on CONNECT when using Delay Pools

When Delay Pools was enabled Squid CONNECT handling tunnel code could
quickly empty the available pool bandwidth and would then also not wait
for it to be replenished, but repeatedly attempt to keep sending. While
this is not quite an "infinite loop" problem it is very similar in
effect, with CPU consumption reaching 100% and service through the proxy
slowing down dramatically.

While this is very old bug, it is starting to make itself felt more as
the quantity of HTTPS CONNECT requests increases.


* Bug #3805: support shared memory on MacOS X

This bug completely prevented using SMP support on MacOS X. As of this
release it should now be possible to use workers, shared memory cache
and rock storage on MacOS X.


* Bug #4204: ./configure abort when required helpers cannot be built

Previously the Squid ./configure script would treat a user-supplied list
of helpers as an optional list to attempt building, ignoring helpers
that were available but not listed. Being an optional list it would also
only warn if some of the list entries could not be built.

It is now treated as a list of required helpers - with a hard failure if
any cannot be built. This prevents automated build systems going through
a long build process only to find missing binaries at the install phase.


* basic_nis_auth and basic_getpwnam_auth updated

Other software has recently been awarded CVE allocation for bad handling
of crypt() system call failures resulting in Denial of Service. These
two Squid helpers were performing very similar operations and might
encounter the same failures. Fortunately these Squid helpers are fairly
isolated and Basic auth in Squid contains mechanisms that make it very
difficult to affect more than one client.

This is a proactive security update to prevent any future issues that
could appear as a result.



 All users of Squid-3.5 with SMP features are urged to upgrade to this
release as soon as possible.

 All users of Delay Pools are urged to upgrade to this release as soon
as possible.

 All users of basic_nis_auth or basic_getpwnam_auth are urged to upgrade
to this release as soon as possible.

 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2015:1 Incorrect X509 server certificate valdidation

2015-05-01 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2015:1
__

Advisory ID:SQUID-2015:1
Date:   May 01, 2015
Summary:Incorrect X509 server certificate valdidation
Affected versions:  Squid 3.2 -> 3.2.13
Squid 3.3 -> 3.3.13
Squid 3.4 -> 3.4.12
Squid 3.5 -> 3.5.3
Fixed in version:   Squid 3.5.4, 3.4.13, 3.3.14, 3.2.14
__

http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455
__

Problem Description:

 Squid configured with client-first SSL-bump does not correctly
 validate X509 server certificate domain / hostname fields.

__

Severity:

 The bug is important because it allows remote servers to bypass
 client certificate validation. Some attackers may also be able
 to use valid certificates for one domain signed by a global
 Certificate Authority to abuse an unrelated domain.

 However, the bug is exploitable only if you have configured
 Squid to perform SSL Bumping with the "client-first" or "bump"
 mode of operation.

 Sites that do not use SSL-Bump are not vulnerable.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.4, 3.4.13, 3.3.14, and
 3.2.14.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11836.patch

Squid 3.3:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12690.patch

Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13222.patch

Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13817.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x, 3.0 and 3.1 are not vulnerable to the problem.

1) Run "squid -v" to determine if SSL support is enabled.

 All Squid built without SSL support are not vulnerable to the
 problem.


2) Run "squid -k parse 2>&1 | grep ssl_bump" to determine if
SSL-Bump is being used.

 All Squid-3.2, 3.3, 3.4, and 3.5 operating with ssl_bump omitted
 from squid.conf are not vulnerable to the problem.

 All unpatched Squid-3.x operating with "ssl_bump client-first"
 in squid.conf are vulnerable to the problem.

 All unpatched Squid-3.x operating with "ssl_bump bump" in
 squid.conf are vulnerable to the problem.

__

Workaround:

 There is no workaround for Squid-3.2.

 For Squid-3.3 and 3.4, upgrade the squid.conf settings to use
 "ssl_bump server-first".

 For Squid-3.5, upgrade the squid.conf settings to use a
 "ssl_bump peek" operation before the "bump" operation.

  NOTE that these workarounds do not resolve the vulnerability,
  but allow Squid to relay (or mimic) the invalid certificate to
  clients and depends on validation in the client.


Or,

 Disable SSL-Bump. Which may be done in the following ways:

 * Build Squid-3.2, 3.3, or 3.4 with ./configure --disable-ssl

 * Build Squid-3.5 with ./configure --without-openssl

 * Remove from squid.conf (and include'd files) any ssl_bump
   directives.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your primary
 support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was discovered and reported by a contributor
 who wishes to remain anonymous.

 The vulnerabi

[squid-announce] Squid 3.3.14 is available

2015-05-01 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.3.14 release!


This release is a security fix release resolving several vulnerabilities
found in the prior 3.3 releases.

REMINDER: This and older releases are already deprecated by
  Squid-3.4 availablility.


The major changes to be aware of:


* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation

  http://www.squid-cache.org/Advisories/SQUID-2015_1.txt

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" mode of operation.

Sites that do not use SSL-Bump are not vulnerable.

A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.


* CVE-2014-7141, CVE-2014-7142 : SQUID-2014:4 Multiple issues in pinger
ICMP processing.

Several bugs allow any remote server to perform a denial of service
attack on the Squid service by crashing the pinger.

Some of these bugs allow attackers to leak arbitrary amounts of
information from the heap into Squid log files. This is of higher
importance than usual because the pinger process operates with root
priviliges.


* CVE-2014-6270 : SQUID-2014:3 Buffer overflow in SNMP processing

The bug is important because it allows remote attackers to crash Squid,
causing a disruption in service.  However, the bug is exploitable only
if you have configured Squid to receive SNMP messages.

Sites that do not use SNMP are not vulnerable.



 All users are urged to upgrade as soon as possible.

 See the ChangeLog for the full list of changes in this and earlier
 releases.


Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go". We are still removing the infamous "Bungled
Config" halting points and adding checks, so if something is not
identified please report it.



Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.3/RELEASENOTES.html
when you are ready to make the switch to Squid-3.3

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.3/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.3/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.4.13 is available

2015-05-01 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.13 release!


This release is a security fix release resolving a vulnerability and som
ebugs found in the prior 3.4 releases.

REMINDER: This and older releases are already deprecated by
  Squid-3.5 availablility.


The major changes to be aware of:


* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation

  http://www.squid-cache.org/Advisories/SQUID-2015_1.txt

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" mode of operation.

Sites that do not use SSL-Bump are not vulnerable.

A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.


* Regression Bug 4212: ssl_crtd crashes with corrupt database

The fix for Bug 3664 introduced a regression on BSD and Linux where
lockf() implementations appear not to lock the entire file correctly or
as reliably as flock(). As a result ssl_crtd records would overwrite
each other. The helper would abort Squid on detecting the corruption.



 All users are urged to upgrade as soon as possible.

 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.2.14 is available

2015-05-01 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.2.14 release!


This release is a security fix release resolving a vulnerability found
in the prior 3.2 releases.

REMINDER: This and older releases are already deprecated by
  Squid-3.3 availablility.


The major changes to be aware of:


* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation

  http://www.squid-cache.org/Advisories/SQUID-2015_1.txt

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" mode of operation.

Sites that do not use SSL-Bump are not vulnerable.

A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.



 All users are urged to upgrade as soon as possible.

 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go".


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html
when you are ready to make the switch to Squid-3.2

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

http://www.squid-cache.org/Versions/v3/3.2/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.2/

or the mirrors. For a list of mirror sites see

http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please
file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.4 is available

2015-05-01 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.4 release!


This release is a security and bug fix release resolving several
critical issues found in the prior Squid releases.


The major changes to be aware of:


* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation

  http://www.squid-cache.org/Advisories/SQUID-2015_1.txt

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" or "bump" modes of operation.

Sites that do not use SSL-Bump are not vulnerable.

A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.


* Add server_name ACL matching server name(s) obtained from various sources

This ACL type allows SSL-Bumped traffic to match on the best available
server name information. Taking its value from CONNECT URI, TLS SNI, or
Server X509 cetificate depending on which the current stage of TLS
processing makes available.

It is designed for use primarily for deciding ssl_bump logic based on
server domain name. Unlike dstdomain it does not perform rDNS lookup
when presented with a raw-IP address.


* Support for resuming TLS sessions

TLS and SSL contain a session resume feature which does not supply X509
certificates for Squid to mimic during the decryption. Previously Squid
has had to abort these connections, causing various client errors.

This release brings support for automatic splicing of resumed TLS
sessions. Bumping is not possible due to lack of certificate
information, and the old behaviour of responding with an error is
causing too many complaints.


* Basic support for ALPN and NPN TLS extensions

These TLS extensions are required to correctly splice or bump port 443
traffic now the port is being heavily overloaded for use by non-HTTPS
protocols wrapped in TLS.

When bumping Squid negotiates for HTTP/1.1 over TLS (HTTPS) to be the
protocol used by both server and client so that Squid can process it.


* Multiple SSL-Bump related crashes

Several different causes of assertion failure when performing SSL-Bump
have been fixed.


* Add Kerberos support for MAC OS X 10.x

Support for Apple custom Kerberos implementation is added in this release.



 All users of Squid-3.5 with SSL-Bump features are urged to upgrade to
this release as soon as possible.

 All users of Squid are encouraged to upgrade to this release as time
permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.5 is available

2015-06-05 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.5 release!


This release is a bug fix and stability release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:


* Regression: comm_connect_addr on failures returns Comm:OK

This regression in IPv6/IPv4 failover was introduced by the fix for bug
4238 in Squid-3.5.4 due to incorrect use of the 'errno' system API.

The Squid use of this system API is now undergoing a full audit. Several
other patches included in this release have come about as a result. and
more will be coming in later releases. The other misuses largely appear
to be resulting in incorrect or confusing debug information (eg. Bug
4236: SSL negotiation error of 'success').


* Bug 3930: assertion 'connIsUsable(http->getConn())'

This bug appears when a perfect storm of conditions occur; Squid with
many asynchronous helpers and/or ICAP adaptation responding slowly, on
high speed networking is running at or near its maximum capacity of
traffic loading.


* Bug 4132: regression in short_icon_urls with global_internal_static

This regression in Squid-3.2 is user visible, but only as an annoyance.
When generating FTP directory listings or HTTPS error messages Squid
would incorrectly respond with an error page indicating the icon was not
available.

It is also related to the cache manager HTTPS access denial issues in
earlier releases. Although fixing this does not fully resolve those issues.


* Bug 4238: assertion Read.cc:205: "params.data == data"

This bug appears when Squid operates with a large number of idle server
connections. Occasionally it has to close them without an active request
signalling closure. Wrong close event sequencing resulted in this
unexpected state assertion.


* Fix missing external ACL helper notes

external ACL helper notes were only added onto the HTTP request that
kicked off the external ACL lookup, and not cached ACL responses.
Configurations that depend on external ACL helper notes during later
processing have not been behaving as expected.


* Multiple stability fixes

Alongside the above major issues a number of other issues including
assertions, incorrect traffic rejections, unnecessary resource
consumption, output messages, and default configuration settings have
been resolved in this release.


* HTTP/2 compatibility

HTTP/2 is now a published RFC standard. This releases documentation is
updated to reflect that and is mentioned in the ChangeLog. However it
should be noted that Squid-3.5 remains HTTP/1.1 software. All it
contains is compatibility logics to detect and properly reject or bypass
HTTP/2 messages.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2015:2 Improper Protection of Alternate Path

2015-07-08 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2015:2
__

Advisory ID:SQUID-2015:2
Date:   July 06, 2015
Summary:Improper Protection of Alternate Path
Affected versions:  Squid 0.x -> 3.5.5
Fixed in version:   Squid 3.5.6
__

http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
__

Problem Description:

 Squid configured with cache_peer and operating on explicit proxy
 traffic does not correctly handle CONNECT method peer responses.

__

Severity:

 The bug is important because it allows remote clients to bypass
 security in an explicit gateway proxy.

 However, the bug is exploitable only if you have configured
 cache_peer to receive CONNECT requests.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.6.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch

Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid versions with cache_peer omitted from squid.conf are
 not vulnerable to the problem.

 All Squid versions with squid.conf containing
 "nonhierarchical_direct on" are not vulnerable to the problem.

 All Squid-3.1 and later with nonhierarchical_direct omitted from
 squid.conf are not vulnerable to the problem.

 All other unpatched Squid configured to use a cache_peer without
 the "originserver" option are vulnerable to the problem.

__

Workaround:

 For Squid-3.0 and older ensure squid.conf contains
 "nonhierarchical_direct on".

 For Squid-3.1 and newer remove nonhierarchical_direct from
 squid.conf.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported and fixed by Alex Rousskov, The
 Measurement Factory.

__

Revision history:

 2015-06-16 16:54 GMT Initial Report and Patches Released
 2015-05-03 15:37 GMT Packages Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.6 is available

2015-07-08 Thread Amos Jeffries 
//www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

Re: [squid-announce] [ADVISORY] SQUID-2015:2 Improper Protection of Alternate Path

2015-08-05 Thread Amos Jeffries 
This is a courtesy announcement for users and distributors of Squid-3.1
that the advisory SQUID-2015:2 also known as CVE-2015-5400 has been
updated to include a patch for Squid-3.1.

The latest advisory document can be downloaded from
<http://www.squid-cache.org/Advisories/SQUID-2015_2.txt>

The patch is available in the 3.1 series patch archive at
<http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch>


Thanks to Raphael Hertzog with sponsorship by Debian LTS sponsors for
this difficult work.


Amos Jeffries
Squid Software Foundation

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.4.14 is available

2015-08-05 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.14 release!


This release is a security fix release resolving a vulnerability and
some bugs found in the prior releases.

REMINDER: This and older releases are already deprecated by
  Squid-3.5 availability.



The major changes to be aware of:


* SQUID-2015:2 Improper Protection of Alternate Path

  http://www.squid-cache.org/Advisories/SQUID-2015_2.txt

Squid when passing a CONNECT request to a cache_peer blindly passes the
response back to the client. This can result in further requests on the
connection bypassing all access controls or routing configuration in the
gateway proxy that would otherwise have been applied.

The default settings of Squid protect most sites against this. However
certain known network topologies require the configuration which is
vulnerable.



 All users of older Squid are urged to upgrade as soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.7 is available

2015-08-05 Thread Amos Jeffries 
s with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.8 is available

2015-09-05 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.8 release!


This release is a bug fix release resolving several issues found in the
the prior Squid releases.


The major changes to be aware of:


* Bug 3553: cache_swap_high ignored and maxCapacity used instead

This bug shows up worst during peak traffic or on high performance
caches. A small change in the input parameters in earlier versions
ment that its 'high aggression' level was not beginning at the
configured high-water mark. Also the cache eviction algorithm designed
some twenty years ago was not aggressive enough to keep up with the
traffic inflow on high performance caches.

See the cache_swap_low and cache_swap_high directive documentation for
details on how to configure the eviction aggressiveness.

NOTE:
  Since the release was made new diagnostics added at level 1 have
been found too verbose on caches which are undergoing a swap.state
rebuild ("DIRTY" cache scan). If the cache is large that may take a
very long time and produce a lot of warnings. This will be resolved in
the next release and snapshots.

The workaround for now is to configure debug_options with 47,0 which
will return Squid to its previous cache.log behaviour.



* Bug 3696: crash when client delay pools are activated

As the title indicates use of client_delay_pools in squid.conf was
crashing Squid immediately. Client delay pools now appears to be
working as intended. Apologies for the time this took to resolve.



* TLS: ignore of impossible SSL bumping actions

The implemented behaviour of ssl_bump access controls in
peek-and-splice was not following the documented behaviour. As a
result explicit step2 and step3 configuration workarounds were needed
to prevent some failures.

The ssl_bump actions are now occuring strictly within the bumping
stages as documented in the wiki peek-and-splice description. All
existing configurations should continue to work. However those
containing extra ACL tests for the broken edge cases may want to
re-evaluate their rules and simplify.

Reminder that the 3.5 series bumping actions are:
  peek, splice, stare, bump, terminate.

All other bumping actions are deprecated and should no longer be used.
Any installation mixing the old and new actions needs to be fixed to
using only the new actions.

Reminder also that SSL-bumping is an ongoing work in progress and thus
still considered an experimental feature. Stability is improving fast,
but not yet guaranteed.



* TLS: Support splice for sessions that start with an SSLv2 Hello

Clients using the outdated OpenSSL 0.9.8 versions can start SSLv3 or
TLSv1.0 connections using an SSLv2 syntax Hello handshake. Previously
these were rejected as unknown protocol.

This has no connection with SSLv2 deprecation itself. While SSLv2 and
SSLv3 are mandatory to reject, these handshakes are still permitted
when they lead to using TLSv1.

The SSLv2 syntax does however prevent use of highly desirable TLS
security extensions, such as SNI. We highly recommend encouraging
these clients to upgrade their security libraries.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJV6s1fAAoJEGvSOzfXE+nLRD8QAKZhPbp6RIATf3qqENbEHGrr
zhGDWVyfKRgGIfepty8hr7WShGjEFCeBQXkx6bzvPo9QJOsbbqXC3l5xp86IHiCB
rNfpqZIEc0XdLpRB8HA0WJTjnWe5wrkQ4BArfE7RQ+ioBgShkuy8ti9bM5GZ/g0M
nOy2jqjmi9mwgo6ZKHHKRG/N3MPnY17pmndEPlT30T0+KS0a49Nz/lY1dXlkOL5t
YxkDDRzdp2foYv2jamvfFBQKeU3q48w5cDkgXDO9diFzax1qr2NHwkY4BBpZoOTc
uGSZKAj7lssRuM96CZqjGvq3c/v8yaE9EOo1ib91TyNdN4lk4SNqx1fokQ8U/V2z
JbOU10I1ej0sXCNssR3oUcEtAKoi0FrZEnhd8GjXTLCatwiskPCRL5cJsiOBw8yg
K1rppB9TTPRPJ7tIiq/Ua6xYPDQViGC4rdL5r4nctus1toY7kVbzou7LU/m1txqG
oZNTqsZWjuZlSXcOLM6roYM50n98LUApzvIEtw0mjUBxuHhp2I/Kr5jahjYNtZlS
dCD5qwyLUAhW9MIG38186r1coY+NCVL8S51ImjLat76VpTinYQGVRP1WNRc5P8Cp
waWIZpXdldgc9c+UHmYV60eZPpEOqI85Nxn+6O5zV7eox2/rNHbcZJ3ogn3cVCnI
mKhRzQNvoQ2O2VtwHypy
=gbna
-END PGP SIGNATURE-
___
squid-announce mailing list
squid-annou

[squid-announce] Squid 3.5.9 is available

2015-09-21 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.9 release!


This release is a security and bug fix release resolving issues found in
the prior Squid releases.


The major changes to be aware of:


* SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
  processing

These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service and all
other services on the same machine.

However, the bugs are exploitable only if you have configured a
Squid-3.5 listening port with ssl-bump.

The visible signs of these bugs are a Squid crash or high CPU usage.
Skype is known to trigger the crash and/or a small amount of extra CPU
use unintentionally. Malicious traffic is possible which could have
severe effects.


* Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords

The SMB LanMan authentication helper in Squid-3.2 and later has been
rejecting valid user credentials.

Reminder: Use of this helper is deprecated. We strongly recommend
against using it. LanMan authentication gives the illusion of
transmitting NTLM protocol while actually transmitting username and
password with crypto algorithms that can be decoded in real-time (this
helper relies on that ability). The combination makes it overall less
secure than even HTTP Basic authentication.


* TLS: Support SNI on generated CONNECT after peek

When Squid generates CONNECT requests it will now attempt to use the
client SNI value if any is known.

Note that SNI is found during an ssl_bump peek action, so will only be
available on some generated CONNECT. Intercepted traffic will always
begin with a raw-IP CONNECT message which must pass access controls and
adaptations before ssl_bump peek is even considered.


* Quieten UFS cache maintenance skipped warnings

This resolves the log noise encountered since the 3.5.8 release when
large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS processing

2015-09-21 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2015:3
__

Advisory ID:SQUID-2015:3
Date:   September 17, 2015
Summary:Multiple Remote Denial of service issues
in SSL/TLS processing.
Affected versions:  Squid 3.5.0.1 -> 3.5.8
Fixed in version:   Squid 3.5.9
__

http://www.squid-cache.org/Advisories/SQUID-2015_3.txt
__

Problem Description:

 Due to integer overflow issues Squid is vulnerable to a denial
 of service attack when processing SSL or TLS messages.

 Due to lack of input validation Squid is vulnerable to a denial
 of service attack when processing SSL or TLS messages.

__

Severity:

 These problems allow any trusted client or external server to
 perform a denial of service attack on the Squid service and all
 other services on the same machine.

 There exists popular software which triggers these bugs
 unintentionally.

 However, the bugs are exploitable only if you have configured a
 Squid-3.5 listening port with ssl-bump.

__

Updated Packages:

 These bugs are fixed by Squid version 3.5.9.

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-3.4 and older versions are not vulnerable.

 All Squid-3.5 built without OpenSSL support are not vulnerable.

 All unpatched Squid-3.5 with http_port or https_port configured
 with the ssl-bump option in squid.conf are vulnerable.

 The following command can be used to easily determine if a
 vulnerable configuration is being used:
   squid -k parse 2>&1 | grep ssl-bump

__

Workaround:

 Remove ssl-bump configuration options from squid.conf

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your primary
 support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported by Aleksandr Demchenko.

 Fixes by Alex Rousskov and Christos Tsantilas of The Measurement
 Factory.

__

Revision history:

 2015-08-27 08:39:03 GMT Initial Report
 2015-09-17 13:04:55 GMT Packages Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.10 is available

2015-10-02 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.10 release!


This release is a bug fix release resolving issues found in the prior
Squid releases.


The major changes to be aware of:


* Regression Bug 4326: base64 binary encoder rejects data beginning
  with nil byte

This regression since 3.3 introduced by hardening of the base-64 encoder
causes unnecessary CPU consumtion during Digest authenticatio on
big-endian systems. Thanks to Pavel Šimerda for identifying the problem
and providing the fix.


* Bug 4323: Netfilter broken cross-includes with Linux 4.2

Due to a problem with Netfilter (libc) header includes Squid and other
software using Netfilter will not build on Linux 4.2. The kernel
developers have provided a hack to allow software to build, but it
requires some changes on our part to make use of it. Those changes are
included in this Squid release.


* Bug 4303: PeerConnector.cc:743 "!callback" assertion.

This problem occurs when slow-group ACLs are used in ssl_bump and no
bumping action is selected (the default action is being performed).
Squid now makes smarter choice of default ssl_bump action to perform
when no explicit ACL match is provided.

Note: The bug number recorded in bzr, changelog and patch header is
wrong. The correct number is 4303.


* Bug 4330: Do not use SSL_METHOD::put_cipher_by_char

Recent changes to this OpenSSL and LibreSSL library API behaviour mean
that Squids particular use of it could result in crashes, or incorrect
rejection of TLS/SSL connections.


* Memory management optimizations

This release includes removal of a custom allocator pool size for
StoreEntry objects. Knowledge of the actual benefits from that supposed
optimization have been lost in time, and it's not possible to accurately
measure its actual impact in all load scenarios; this change is
therefore considered a potential performance regression in some load
scenarios.

Initial testing of this change show an overall reduction in Squid memory
needs for general usage. So we belive this is a worthwhile change until
proven otherwise.


* Copyright Updates

As part of the Squid Software Foundation project to cleanup the Squid
copyright situation it was found that the basic_sspi_auth,
ntlm_smb_lm_auth, and ntlm_fake_auth helpers were GPL 2.0-only licensed.
This is not fully compatible with the GPLv2+ terms Squid bundles are
officially being distributed under, which is intended to allow
downstream GPLv3 or later relicensing.

The main authors and copyright holders of those helpers have graciously
agreed to relicense them as GPLv2+ for compatibility with the Squid
collective license.

The libltdl tools bundled with Squid has also undergone a relicense to
LGLv2.1+ in the version we import.



 All users of Squid are encouraged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.1 beta is available

2015-10-18 Thread Amos Jeffries 
The Squid Software Foundation is very pleased to announce the
availability of the Squid-4.0.1 beta release!


This new 4.x series of Squid brings useful new features and changes
providing improved performance over earlier release series.

More detailed descriptions of the major new features are available in
the release notes and wiki:
  <http://www.squid-cache.org/Versions/v4/RELEASENOTES.html>
  <http://wiki.squid-cache.org/Squid-4>

Detailed lists of the ./configure build and squid.conf changes can also
be found in the release notes.

This code is released as beta for wider testing purposes and potential
use. There are no more planned alterations to the existing features,
./configure options or squid.conf options.

  NOTE:  Since the 4.0.1 package was bundled there have been some
important issues have been found and resolved. Testers are encouraged to
use the daily snapshot or apply the patches in the "Change Details"
listing where relevant.



This release adds a dependency on C++11 support in any compiler used to
build Squid. As a result older C++03 -only and most C++0x compilers will
no longer build successfully. GCC 4.9+ and Clang 3.5+ are known to have
working C++11 support and are usable. GCC-4.8 will also build for now
despite lack of full C++11 support, but some future features may not be
available.


This Squid version begins the transition from SSL behaviour to TLS
behaviour. While these protocols are often considered to be the same,
they in fact have some small but significant differences. Most relevant
to Squid is the negotiation for RFC protocol version and thus cipher
sets and connection capabilities. Parameters for configuring SSL are
being renamed to TLS options in this version. Other options may be
renamed in upcoming versions.
 Please ensure you run "squid -k parse" to check squid.conf during
upgrade and check the relevant parameters documentation to avoid surprises.


Squid is now capable of configuring Elliptic Curve ciphers in TLS. These
ciphers are the most secure algorithms currently available, and are
being required by some browser implementations and security policies.
But they do require a slightly different configuration in squid.conf to
enable. More details in the release notes.


Squid is now capable of communicating with ICAP services over TLS.
squid.conf options the connection to these services can be configured
similar to those previously available on the cache_peer directive. See
the release notes for further details.


External ACL helpers can now be passed a much wider range of details
using any of the logformat codes for the format parameter. Whether any
given macro expands is dependent on whether the detail is available yet
in the transaction. Not all access controls have been tested yet - some
regressions may occur, if you find one please report the bug ASAP.


The ID assignment algorthm for helper concurrency channels feature has
been altered significantly. It requires 64-bit ID support in helpers and
will cycle through ID numbers sequentually instead of using the lowest
unused channel. This may require some helpers to be re-designed, and all
32-bit helpers definitely need to be rebuilt with 64-bit ID support. See
release notes for specific requirements on helpers.


SMP support availability on several OS has been improved with the use of
C++11 atomics and shared memory features. These features are
auto-enabled by default. There may be behaviour differences noticed with
memory caching on OS where SMP support was previously being auto-disabled.


Major features dropped:

 * SSLv2 support is officially purged from the code.

RFC 6176 requires new and updated releases of software supporting SSL no
longer provide support negotiating SSLv2 ciphers or protocol behaviours.
This release of Squid removes SSLv2 support including all squid.conf
configuration options used to enable or disable SSLv2 related behaviours.

Manual config file updates may be required to avoid warnings or errors
about unsupported options.

 * basic_msnt_multi_domain_auth removal

The SMB LM helpers were deprecated some time ago. Additionally, the MSNT
multi-domain auth helper has been found to overlap completely with
features still available in the basic_smb_lm_auth helper.



All users are encouraged to give this Squid release a test run as soon
as time permits. All feedback welcome.


Please refer to the release notes at
<http://www.squid-cache.org/Versions/v4/RELEASENOTES.html> if and when
you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  <http://www.squid-cache.org/Versions/v4/>
  <ftp://ftp.squid-cache.org/pub/squid/>
  <ftp://ftp.squid-cache.org/pub/archive/4/>

or the mirrors. For a list of mirror sites see

  <http://www.squid-cache.org/Download/http-mirrors.html>
  <http://www.squid-cache.org/Download/mirrors.html>

If you encounter any issues with this rele

[squid-announce] Squid 3.5.11 is available

2015-11-08 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.11 release!


This release is a bug fix release resolving issues found in the prior
Squid releases.


The major changes to be aware of:


* Regression Bug #4279: FTP-download of non-existing file

When requested to fetch an ftp:// URL for a file which does not exist
earlier Squid would simply hang. An appropriate error page is now
generated and delivered to the client.



* Bug #4347: compile errors with LibreSSL 2.3

LibreSSL 2.3 removed SSLv3 support entirely from its API. Meaning
Squid-3.5 would no longer build with SSL enabled. That is now resolved,
with SSLv3 being made optional in Squid.

OpenSSL allowed builds with SSLv3 removed as well, though this is less
common it also would have the same effect on Squid builds.

NP: since 3.5.11 packaging one related issue has been found that can
result in assert(0) on some CPU architectures.



* Bug #3574: crashes on reconfigure and startup

During machine boot sequence Squid can receive multiple reconfigure
signals during its startup phase as the system configuration is changed
and Squid signalled to reload the information.Leading to overlapping
rconfiguration load sequences and crashes from inconsistent config states
Squid will now ignore reconfigure requests before startup has read the
initial config file and treat repeated signals during reconfigure as a
single request to reload squid.conf when the current operation has
completed.



* Bug #4188: Bumping intercepted SSL connections does not work on
  Solaris

This bug turned out to be missing logics in the I/O module handling
/dev/poll on Solaris. It affects all TLS/SSL connections being received
or generated by Squid. All users of Squid on Solaris wanting to use
TLS/SSL enabled Squid need to upgrade to at least this release.



* Connection stats, including %http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.2 beta is available

2015-11-08 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.2 release!


This release is a beta release resolving issues found in the prior Squid
releases.


The major changes to be aware of:


* Several regression bugs

 - Bug #4356: segmentation fault using proxy_auth ACL
 - Bug #4352: compile errors in OS X 10.11
 - Bug #4351: compile errors when authentication modules disabled
 - Bug #4021: ext_user_regex does exact match

There are also several compile errors with clang which have been
resolved but not in time for this release. To build with clang please
use the latest snapshot package.



* Bug #3574: To avoid crashes, prohibit reconfiguration during shutdown.

This release contains additional fixed for reconfiguration issues during
Squid shutdown sequence.

Note: there are additional shutdown issues yet to be resolved. This only
completes the bug 3574 set of issues surrounding reconfigration signals.



* HTTP/1.1 parser fixes

1xx responses were incorrectly being flagged as final response headers,
eventually leading to the server connection being closed with an abort.
This breaks many PUT transactions, which often rely on
Expect:100-continue feature of HTTP to prevent excessive uploads.

Chunked encoding messages were sometimes not having their terminal bytes
detected properly and causing Squid to abort the transaction and/or the
connection as bad when no actual error had occured.

Note: The new parser also currently rejects URI/URL containing
characters which are not permitted for use in URI due to their dangers
with shell-injection or similar types of attacks. Several major web
services are using such characters anyway. The fix to restore the old
behaviour is still awaiting the final stages of our QA process.



* Re-assign delay pools based on HTTP reply details

The delay_access criteria for delay pools will now be re-assessed on
receipt of a server HTTP response. Meaning it is possible assign pools
based on HTTP reply headers or other server details.

Some initial portion of the response may be received and buffered prior
to the re-assignment happening. That portion will be accounted for in
the earlier request-based pool assignment for the transaction.



 All users of Squid are encouraged to test this release out and plan for
upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.12 is available

2015-11-28 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.12 release!


This release is a bug fix release resolving issues found in the prior
Squid releases.


The major changes to be aware of:


* Bug #4374: refresh_pattern config parser (%)

For some time the squid.conf parser has been reporting errors when the
refresh_pattern percentage parameter was configured with values over
100%. Due to the nature of the revalidaton algorithm refresh often works
better with very large percentage values, particularly when dealing with
very young objects.
This release now permits large percentage values to be configured.


* Bug #4228: links with krb5 libs despite --without options

The Kerberos library --without-mit-kb5 and --without-heimdal-krb5
options were not working in previous 3.5 releases and could result in
build errors. This has been corrected.


* Bug #4373: assertion 'redirect_state == REDIRECT_NONE'

Squid could exit with the above assertion if a misconfigured SquidGuard
helper was used. This release will now correctly handle the SquidGuard
response without exiting.

Note that it appears the SquidGuard project is no longer being
maintained. All its capabilities are available directly within Squid.
Users still relying on it should evaluate upgrading their config to no
longer use a rewriter, or to migrate to one of the alternative helpers
which are available and being maintained.


* TLS: Handshake Problem during Renegotiation

Previous Squid did not support server-initiated renegotiation and would
close the TLS connection even if the renegotiation occured during the
handshake process. Squid now supports this TLS feature during TLS
handshake when SSL-Bumping the traffic.


* Revert r13921: Migrate StoreEntry to using MEMPROXY_CLASS

An attempted performance optimization in Squid-3.5.10 r13921 has been
found to uncover hidden bugs in the cache handling. As a result objects
could become MISS or revalidate unnecessarily. Some SNMP reporting
issues could also be resulting. The change has now been removed from 3.5.


* Fix SSL_get_certificate() problem detection

The autoconf checks for this sometimes broken function fail on library
builds which don't include SSLv3; as a result of the autoconf decision
this can end up triggering the assert(0) in Ssl::verifySslCertificate().


* Fix cache_peer forceddomain= in CONNECT

CONNECT messages output by Squid to peers in configurations using
forcedomain= parameter could be sent with the original domain name in
the Host: header. While this should not have had any effect, it is
possible that broken recipients and downstream traffic analysis could be
confused. Squid will now consistently apply forcedomain= on all HTTP
requests.



 All users of Squid are encouraged to upgrade to this release as time
permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.3 beta is available

2015-11-28 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.3 release!


This release is a beta release resolving issues found in the prior Squid
releases.


The major changes to be aware of:


* Several regression bugs

 - Bug 4372: missing template files
 - Bug 4371: no such file or directory: DiskIO/*/*DiskIOModule.o
 - Fix various DiskIO bugs
 - Fix compile erorr on clang undefined reference to '__atomic_load_8'
 - ext_kerberos_ldap_group_acl missing workarounds for Heimdal Kerberos
 - Quieten ALE missing messages

There are also several new compile errors which have been uncovered:

 - when Clang is installed alongside GCC 5 it cannot link libstdc++
 - libecap uses TR1 shared_ptr which are incompatible with C++11
   std::shared_ptr definitions assumed by Squid-4. A patch is required.


* Bug 4368: A simpler and more robust HTTP request line parser

As noted in the previous release the new parser was rejecting URI/URL
containing characters which are not permitted for use in URI due to
their dangers with shell-injection or similar types of attacks. Several
major web services are using such characters anyway.

This release now accepts those characters in the request-line parser.
Although they may still be rejected later in the request processing if
they result in an unprocessable URL or invalid DNS lookup.


* ext_ldap_group_acl: Allow unlimited LDAP search filter

Previously this helper restricted the length of search filters, both in
parameter length and constructed fitler length. Those restrictions are
now lifted and any length of filter may be used.

Please note that large filters do have a peformance impact from extra
string manipulation and LDAP parsing. So use of short filters is
recommended.


* ext_unix_group_acl: Support to strip @REALM from usernames

This helper now supports group lookups for Kerbers authenticated users.
The -r command line option can be used to enable stripping Kerberos
format Realm details from the user credentials. This compliments the
existing option to strip NTLM domain details. Both may be used together
if needed.



 All users of Squid are encouraged to test this release out and plan for
upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid-4.0.4 beta is available

2016-01-09 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.4 release!


This release is a beta release resolving some issues found in the prior
Squid releases.

The major changes to be aware of:


* Several regression bugs fixed

 - Bug 4393: compile fails on OS X
 - Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or
tunnelClientClosed


* Some minor squid.conf additions

 - cache_peer support for Kerberos credentials cache instead of keytab
 - Support logging of TLS Cryptography Parameters
 - Support substring matching in Note ACL


 All users of Squid are encouraged to test this release out and plan for
upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.13 is available

2016-01-09 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.13 release!


This release is a bug fix release resolving issues found in the prior
Squid releases and hardening security.


  Please note the TLS feature backport is an exceptional situation.
  The Squid Project policy is (and remains) not to backport feature
  changes affecting squid.conf within a stable/production release.


The major changes to be aware of:


* Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange

The Squid-4 functionality supporting Elliptic Curve cryptography has
been backported to this release to better suit community needs.


* Complete certificate chains using external intermediate certificates

Many origin servers do not send complete certificate chains. Many
browsers use certificate extensions in the server certificate to
download the missing intermediate certificates automatically from the
Internet. Squid-3 does not do that.

This backported Squid-4 feature allows an admin to supply a file with
intermediate certificates that Squid may use to complete certificate
chains. These intermediate certificates are _not_ treated as trusted
root certificates.


* SSL-Bump: Avoid memory overuse with X.509 certificate validator

SSL-Bump TLS contexts are created dynamically and potentially in large
numbers. When certificate validator was used the validator response was
causing the context to be leaked.

Note: There are other known (and some unknown) memory issues related to
certificate validation which remain to be solved.


* Fix connection retry and fallback after failed server TLS connections

Previous Squid-3.4 and 3.5 releases would attempt only one server
connection when forwarding a bumped https:// and if that failed would
produce an error. This release will now retry with other servers as done
with http:// requests.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.14 is available

2016-02-15 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.14 release!


This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:1 - Remote Denial of Service in SSL/TLS handling

http://www.squid-cache.org/Advisories/SQUID-2016_1.txt

This shows up as Squid crashing after a failed TLS server connection.
Since Squid built with TLS/SSL support perform outbound TLS server
connections independent of inbound client request type it can be
triggered by a plain-text HTTP message.

 Affected Squid versions are:
  3.5.13, 4.0.4, 4.0.5 built using --with-openssl

See the advisory for further details. Upgrade to this beta is highly
recommended, even for older unaffected releases.


* Bug #4431: C code is not compiled with CFLAGS

This bug in the build toolchain has existied since at lease 3.2 and
meant the few C objects still being built as part of Squid and helpers
were not being built using the proper CFLAGS values.

Builds for unusual environments or with customised CFLAGS values will
need to take some extra care and testing with this release to ensure the
desired compiler actions are occuring.


* Fix %un logging external ACL username

This issue affects both logging and the key_extras feature of 3.5 which
both rely on logformat codes. It shows up in two ways;

 - For Squid relying exclusively on external ACL helper side-band
authentication the username would not be logged at all.

 - For Squid relying on multiple sources of authentication the username
for another source could wrongly be displayed instead of the external
ACL provided value.


* Fix invalid FTP connection handling on blocked content

This issue shows up as 'hanging' FTP transactions when an ICAP service
has explicitly requested that they be blocked / rejected / denied.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.6 beta is available

2016-02-15 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.6 release!


This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.

  NP: this release announcement also covers 4.0.5 change details.


The major changes to be aware of:


* SQUID-2016:1 - Remote Denial of Service in SSL/TLS handling

http://www.squid-cache.org/Advisories/SQUID-2016_1.txt

This shows up as Squid crashing after a failed TLS server connection.
Since Squid built with TLS/SSL support perform outbound TLS server
connections independent of inbound client request type it can be
triggered by a plain-text HTTP message.

 Affected Squid versions are:
   3.5.13, 4.0.4, 4.0.5 built using --with-openssl

See the advisory for further details. Upgrade to this beta is highly
recommended, even for older unaffected Squid-4 releases.


* Several regression bugs fixed

 - Bug 4436: Fix DEFAULT_SSL_CRTD
 - Bug 4429: http(s)_port options= error message missing characters
 - Bug 4410: compile error in basic_ncsa_auth after 4.0.4
 - Bug 4403: helper compile errors after 4.0.4
 - Bug 4401: compile error on Solaris
 - Fix: TLS/SSL flags parsing
 - Fix: cert validator always disabled in 4.0.x
 - Fix: Name-only note ACL stopped matching after 4.0.4 (note -m)
 - Fix: external_acl problems after 4.0.1


* SSL related helpers changed

This release adds two new ./configure options
  --enable-security-validators=
  --enable-security-generators=

These build options operate the same as external ACL and authentication
helper build options. But control whether the SSL certificate validator
and SSL-Bump certificate generator helper(s) are built.

As part of this change;

 - the ssl_crtd helper is renamed to security_file_certgen
   (built with --enable-security-generators=file), and

 - the cert_valid.pl helper is renamed to security_fake_certverify
   (built with --enable-security-validators=fake).


* Add connections_encrypted ACL

This new ACL only matches true when all the external connections
involved with a transaction (so far) have been secured. It can be used
to prohibit sending traffic received over a secure connection to
insecure services such as URL-rewriters, ICAP, eCAP, cache_peer, or to
set tcp_outgoing_* details differently for secure/insecure transactions.


* Fix SSL-Bump step 3 splice action

This bug shows up as Squid HTTPS transactions hanging while contacting
an upstream TLS server. It occurs when splice action is selected for use
at stage 3 of SSL-Bumping.



 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:1 Remote Denial of Service issue in SSL/TLS processing.

2016-02-15 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:1
__

Advisory ID:SQUID-2016:1
Date:   February 16, 2016
Summary:Remote Denial of Service issue
in SSL/TLS processing.
Affected versions:  Squid 3.5.13
Squid 4.0.4 -> 4.0.5
Fixed in version:   Squid 4.0.6, 3.5.14
__

http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
__

Problem Description:

 Due to incorrectly handling server errors Squid is vulnerable to
 a denial of service attack when connecting to TLS or SSL servers.

__

Severity:

 This problem allows any trusted client to perform a denial of
 service attack on the Squid service regardless of whether TLS or
 SSL is configured for use in the proxy.

 Misconfigured client or server software may trigger this issue
 to perform a denial of service unintentionally.

 However, the bug is exploitable only if Squid is built using the
 --with-openssl option.

__

Updated Packages:

 These bugs are fixed by Squid version 3.5.14 and 4.0.6.


 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.5:
 http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-3.4 and older versions are not vulnerable.

 All Squid-3.5.12 and older 3.5 versions are not vulnerable.

 All Squid-3.5 built without OpenSSL support are not vulnerable.

 All Squid-4.0.3 and older 4.0 versions are not vulnerable.

 All Squid-4 built without OpenSSL support are not vulnerable.

 All unpatched Squid-3.5.13, 4.0.4, and 4.0.5 built using
 --with-openssl are vulnerable.

 The following command can be used to easily determine if a
 vulnerable build is being used:
  squid -v

__

Workaround:

 Disabling service for https:// URLs entirely at the top of the
 squid.conf http_access rules fully protects against this
 vulnerability:

   acl HTTPS proto HTTPS
   http_access deny HTTPS

Or,

 Relaying outbound HTTPS traffic through a non-vulnerable proxy
 protects against the issue unless the SSL-bump splice feature is
 being used.

Or,

 Disabling service for irregular HTTPS ports protects against the
 simplest forms of attack while retaining most HTTPS service:

   acl HTTPS proto HTTPS
   http_access deny HTTPS !SSL_Ports

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported and fixed by Christos Tsantilas of
 The Measurement Factory.

__

Revision history:

 2016-02-12 17:50:38 GMT Initial Report
 2016-02-12 18:05:44 GMT Patch Released
 2016-02-15 17:15:00 GMT Packages Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:2 Multiple Denial of Service issues in HTTP Response processing

2016-02-23 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:2
__

Advisory ID:SQUID-2016:1
Date:   February 23, 2016
Summary:Multiple Denial of Service issues
in HTTP Response processing
Affected versions:  Squid 3.x -> 3.5.16
Squid 4.x -> 4.0.7
Fixed in version:   Squid 4.0.7, 3.5.15
__

http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
__

Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to a denial
 of service attack when processing HTTP responses.

 Due to incorrect error handling Squid-4 is vulnerable to a denial
 of service attack when processing malformed HTTP responses.

__

Severity:

 These problems allow remote servers delivering certain unusual
 HTTP response syntax to trigger a denial of service for all
 clients accessing the Squid service.

 HTTP responses containing malformed headers that trigger this
 issue are becoming common. We are not certain at this time if
 that is a sign of malware or just broken server scripting.

 Details of a trivial attack are already circulating publicly.

__

Updated Packages:

 These bugs are fixed by Squid version 3.5.15 and 4.0.7.

 In addition, patches addressing these problems for the stable
 release can be found in our patch archives:

Squid 3.5:
 http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
 http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-3.2 and older have not been tested but are expected to
 be vulnerable.

 All unpatched Squid-3.3 versions are vulnerable.

 All unpatched Squid-3.4 versions are vulnerable.

 All unpatched Squid-3.5.14 and older are vulnerable.

 All unpatched Squid-4.0.6 and older are vulnerable.

__

Workaround:

 There are no good workarounds known for these vulnerabilities.

 The following squid.conf settings can protect Squid-3.5 (only)
 against the publicly published attack. But unpatched Squid
 remain vulnerable to other known attacks:

   acl Vary rep_header Vary .
   store_miss deny Vary

Or,

 The following squid.conf settings can protect against the
 publicly published attack. But unpatched Squid remain vulnerable
 to other known attacks:

   cache deny all

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The bounds checking vulnerability was identified and reported by
 Mathias Fischer from Open Systems AG.

 The bounds checking vulnerability was fixed by Alex Rousskov from
 The Measurement Factory.

 The error handling vulnerability was found and fixed by Alex
 Rousskov from The Measurement Factory.

__

Revision history:

 2016-02-17 06:51:25 UTC Initial Report
 2016-02-18 04:15:33 UTC Patches Released
 2016-02-19 23:15:41 UTC Additional Patches Released
 2016-02-23 16:37:27 UTC Attack PoC becomes public knowledge
 2016-02-23 18:23:00 UTC Packages Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.15 is available

2016-02-23 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.15 release!


This release is a security release resolving several major
vulnerabilities found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
  processing

http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

The visible symptoms of these are various assertions about:
 "String.cc:*: 'len_ + len <65536'"
 "store.cc:*: 'isEmpty()'"

There are a number of known attacks involved for both of these
assertions. Almost all are now fully fixed or rendered harmless to other
transactions. However some hard to trigger ones are not yet resolved.

Normally we would not release this advisory and packages until a full
fix or workaround was confirmed. However these assertions have recently
become the topic of a lot of public discussion and a trivial PoC is now
available. We have chosen to release the existing fixes now as work
continues towards a final resolution.

  All Squid-3 and Squid-4 releases to date are affected.

See the advisory for further details. Upgrade or patching should be
considered a high priority.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.7 beta is available

2016-02-23 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.7 release!


This release is a security release resolving several major
vulnerabilities found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
  processing

http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

The visible symptoms of these are various assertions about:
 "String.cc:*: 'len_ + len <65536'"
 "store.cc:*: 'isEmpty()'"

There are a number of known attacks involved for both of these
assertions. Almost all are now fully fixed or rendered harmless to other
transactions. However some hard to trigger ones are not yet resolved.

Normally we would not release this advisory and packages until a full
fix or workaround was confirmed. However these assertions have recently
become the topic of a lot of public discussion and a trivial PoC is now
available. We have chosen to release the existing fixes now as work
continues towards a final resolution.

  All Squid-3 and Squid-4 releases to date are affected.

See the advisory for further details. Upgrade or patching should be
considered a high priority.


* Bug 4111: leave_suid() does not properly handle error codes returned
by setuid

This bug was technically a privilege escalation. However there are no
known instances of it occuring. So it is considered minor issue and this
change should have no noticible effects on installations.

However, be aware that any installations which would previously have
been even at risk and ignoring the security ALERT messages will now
abort with an FATAL error. In such cases the system environment needs to
be corrected so that Squid will run without needing root privileges for
the HTTP handing worker process.


* Fix external_acl parameters separated by %20 instead of space

The 'ACL data' sent to external ACL helpers may contain whitespace
delimited lists of ACL values to be tested, or otherwise used by the helper.

It has come to light that Squid-4 backward compatibility code in
external ACL helper lookups handling when the %DATA token(s) sent to the
helper are to be %-encoded as a single token is unable to accurately
emulate previous versions. Due to various bugs Squid-3 versions
alternately encoded the explicit %DATA token as a single token, sent "-"
as its value (again as a single value). Or implicitly sent an
individually encoded set of multiple values. Older Squid-2 sent a
different set of possibilities as well.

For simplicity as of this release we are dropping backward compatibility
variance in the encoding of %DATA. Token(s) will not be encoded by
default whether explicitly used at a certain position, or implicitly
appended to the lookup line. A logformat encoding modifier must be
specified inside the %DATA format code if the helper requires a single
token/field in its input.

Some helpers may need re-coding or squid.conf updates to handle the new
protocol syntax or potential whitespace in the token(s) produced by
%DATA format code.

For maximum compatibility with older Squid versions helpers should
expect several whitespace delimited values on the end of the lookup line
and RFC1738 un-encoding what gets given is recommended.



* Fix memory leak using sslcrtvalidator_program with no cache

When the helper response cache is disabled by the ttl=0 parameter for
these helpers previous Squid would leak a large amount of memory used to
store the certificate details.



 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:4 Denial of Service issue in HTTP Response processing.

2016-04-02 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:4
__

Advisory ID:SQUID-2016:4
Date:   April 02, 2016
Summary:Denial of Service issue
in HTTP Response processing.
Affected versions:  Squid 3.x -> 3.5.15
Squid 4.x -> 4.0.7
Fixed in version:   Squid 4.0.8, 3.5.16
__

http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3948
__

Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to a denial
 of service attack when processing HTTP responses.

__

Severity:

 This problem allows a malicious client script and remote server
 delivering certain unusual HTTP response syntax to trigger a
 denial of service for all clients accessing the Squid service.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.16 and 4.0.8.

 In addition, a patch addressing this problem for the stable
 release can be found in our patch archives:

Squid 3.5:
 http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All unpatched Squid-3.0 versions are vulnerable.

 All unpatched Squid-3.1 versions are vulnerable.

 All unpatched Squid-3.2 versions are vulnerable.

 All unpatched Squid-3.3 versions are vulnerable.

 All unpatched Squid-3.4 versions are vulnerable.

 All unpatched Squid-3.5 up to and including Squid-3.5.15 are
 vulnerable.

 All unpatched Squid-4.0 up to and including 4.0.7 are vulnerable.

__

Workaround:

 There are no good workarounds known for this vulnerability.

 The following squid.conf settings can protect Squid-3.5 (only):

   acl Vary rep_header Vary .
   store_miss deny Vary

Or,

 The following squid.conf setting can protect Squid-3.0 or later:

   cache deny all

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was reported by Santiago R. Rincon of Debian.
 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2016-03-20 11:25:04 UTC Initial Report
 2016-04-01 06:15:31 UTC Patch Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:3 Buffer overrun issue in pinger ICMPv6 processing.

2016-04-02 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:3
__

Advisory ID:SQUID-2016:3
Date:   April 02, 2016
Summary:Buffer overrun issue
in pinger ICMPv6 processing.
Affected versions:  Squid 3.1.0 -> 3.5.15
Squid 4.0 -> 4.0.7
Fixed in version:   Squid 4.0.8, 3.5.16
__

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3947
__

Problem Description:

 Due to a buffer overrun Squid pinger binary is vulnerable to
 denial of service or information leak attack when processing
 ICMPv6 packets.

 This bug also permits the server response to manipulate other
 ICMP and ICMPv6 queries processing to cause information leak.
__

Severity:

 This bug allows any remote server to perform a denial of service
 attack on the Squid service by crashing the pinger. This may
 affect Squid HTTP routing decisions. In some configurations,
 sub-optimal routing decisions may result in serious service
 degradation or even transaction failures.

 If the system does not contain buffer-overrun protection leading
 to that crash this bug will instead allow attackers to leak
 arbitrary amounts of information from the heap into Squid log
 files. This is of higher importance than usual because the pinger
 process operates with root priviliges.
__

Updated Packages:

 This bug is fixed by Squid version 3.5.15 and 4.0.8.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.1:
 http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch

Squid 3.2:
 http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch

Squid 3.3:
 http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch

Squid 3.4:
 http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch

Squid 3.5:
 http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x versions are not vulnerable to this problem.

 All Squid-3.0 versions are not vulnerable to this problem.

 All Squid built with --disable-icmp are not vulnerable to this
 problem.

 All Squid built with --disable-ipv6 are not vulnerable to this
 problem.

 All Squid-3.x configured with "pinger_enable off" in squid.conf
 are not vulnerable to this problem.

 Check the server running processes list to determine if the Squid
 service is running a "pinger" child process.

 All unpatched Squid-3 versions up to and including 3.5.15
 running the pinger process are vulnerable to this problem.

 All unpatched Squid-4 versions up to and including 4.0.7
 running the pinger process are vulnerable to this problem.

__

Workaround:

 Disable the pinger process in squid.conf:

   pinger_enable off

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported and fixed by Yuriy M. Kaminskiy.

__

Revision history:

 2016-02-21 23:42:28 GMT Initial Report
 2016-03-28 22:52:58 GMT Patch Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.16 is available

2016-04-02 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.16 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:4 - Denial of Service issue in HTTP Response processing

http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
aka. CVE-2016-3948

This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
 "String.cc:*: 'len_ + len <65536'"

There is an attack in the wild for this one, but not as widely as for
the previous issues.


* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
aka. CVE-2016-3947

This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.

All previous Squid-3 releases are affected by both these issues. See the
advisory for further details. Upgrade or patching should be considered a
high priority.


* pinger: drop capabilities on Linux

On Linux, it is now possible to install pinger helper with only
CAP_NET_RAW permissions raised instead of full setuid-root:

  (setcap cap_net_raw+ep /path/to/pinger &&
   chmod u-s /path/to/pinger) || :

Other operating systems without libcap capabilities features are not
affected by this change.


* Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion

This rather cripling bug appears after the CVE-2016-2569 patch. It
turned out to be a race condition closing connections and has now been
fully fixed.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.8 beta is available

2016-04-02 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.8 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:4 - Denial of Service issue in HTTP Response processing

http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
aka. CVE-2016-3948

This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
"String.cc:*: 'len_ + len <65536'"

There is an attack in the wild for this one, but not as widely as for
the previous issues.


* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
aka. CVE-2016-3947

This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.


All previous Squid-4 releases are affected by both these issues. See the
advisory for further details. Upgrade should be considered a high priority.


* Bug #3826: SMP compatibility with systemd and --foreground option

The process management redesign in Squid-4 has finally reached a point
where we can say Squid is compatible with the systemd init system even
when SMP workers are used. A .service file is provided to control Squid
properly without any noticable glitches or lack of SMP functionality.

These changes are not specific to systemd, the same design fixes many
outstanding issues Squid had with Upstart and OpenRC init systems and
third party daemon managers in general.


* Bug #1979: Add ACL-driven server_pconn_for_nonretriable

This new squid.conf directive allows admin to tune when Squid can re-use
existing persistent connections for requests such as POST which are
usually quite risky. The risk is that the connection gets terminated
suddenly while Squid is still sending and it has to be bumped back to
the client as an error page. Some networks are loaded with enough
traffic that this is only a low risk and can use persistent connections
fine.


* Bug #4459: FHS compliance updates

The FHS standard indicates the /var/cache/squid/ path should be used for
cached data. The netdb features data journal fully meets the criteria so
has been moved there. The ssl_crtd database (ssl_db/ directory) almost
meets the criteria, and has been moved due to its security need for
particular path permissions.

Explicitly configured alternative locations will remain where they are.
New installations and implicit default paths will automatically change
to using these locations when upgrading to this Squid version.


* Add reply_header_add directive

This new directivs adds the ability to add custom response headers to
replies sent to the client. Matching the already existing
request_header_add directive which operates on server requests. At
present CONNECT tunnels and 1xx status responses are not affected by
this new directive.


* Add reply_header_add directive

When using SMP functionality Squid makes use of shared memory. If the
system is not able to allocate enough memory Squid can crash with SIGBUS
errors.

This new directive adds the ability to pre-allocate all necessary shared
memory when Squid is starting. Doing this will ensure that Squid has the
necessary amount of shared memory available when running (or will halt
during startup), but the process can be quite slow. The default for now
is to retain the old behaviour and allocate shared memory only when it
is needed.



 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.17 is available

2016-04-21 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.17 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:5 - Buffer overflow in cachemgr.cgi

http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
aka. CVE-2016-4051

Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.


* SQUID-2016:6 - Multiple issues in ESI processing.

http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.

At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.

Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
at risk. Check the advisory for more specific details on determining
whether your Squid is vulnerable.


* Bug #4481: varyEvaluateMatch: Oops. Not a Vary match on second attempt

This bug was a regression introdued by the CVE-2016-3948 patch. Any
Squid patched for that issue should have this bug patched as well.


* Bug 4465: Header forgery detection leads to crash

This very annoying bug has finally been tracked down and solved.


* Add chained and signing cert to peek-then-bumped connections.

Until now Squid with this particular configuration case was only
delivering one of the certificates in the chain. Which can cause
problems when the clients are configured with a CA higher up the chain
than the one Squid is using to sign generated domain certs.

From this release onwards Squid will deliver the whole certificate chain
and let the client determine whether it wil be trusted or not.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.9 beta is available

2016-04-21 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.9 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:5 - Buffer overflow in cachemgr.cgi

http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
aka. CVE-2016-4051

Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.


* SQUID-2016:6 - Multiple issues in ESI processing.

http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.

At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.

Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
at risk. Check the advisory for more specific details on determining
whether your Squid is vulnerable.


* Add a new error page token for unquoted external ACL messages.

This small feature addition may be of use to those who have been asking
for ways to insert content into Squid error pages from external ACL
helper responses.


* Stop parsing response prefix after discovering an "HTTP/0.9" response.

It appears that there are still some very old servers out there or at
least services using port 80 for non-HTTP protocols. The new Squid-4
parser has not been dealing with these very well. This release should be
a lot more stable with the HTTP/1.1 conversion of that response traffic.



 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:5 Buffer overflow in cachemgr.cgi

2016-04-21 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:5
__

Advisory ID:SQUID-2016:5
Date:   April 20, 2016
Summary:Buffer overflow in cachemgr.cgi
Affected versions:  Squid 2.x all releases
Squid 3.x -> 3.5.16
Squid 4.x -> 4.0.8
Fixed in version:   Squid 3.5.17, 4.0.9
__

http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051
CESG REF: 56397140 / VULNERABILITY ID: 394201
__

Problem Description:

 Due to incorrect buffer management Squid cachemgr.cgi tool is
 vulnerable to a buffer overflow when processing remotely supplied
 inputs relayed to it from Squid.

__

Severity:

 This problem allows any client to seed the Squid manager reports
 with data that will cause a buffer overflow when processed by
 the cachemgr.cgi tool.

 However, this does require manual administrator actions to take
 place. Which greatly reduces the impact and possible uses.
__

Updated Packages:

 This bug is fixed by Squid versions 3.5.17 and 4.0.9

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.2:
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch>

Squid 3.3:
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch>

Squid 3.4:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch>

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid proxy is not vulnerable. The problem is isolated to the
 manager CGI interface tool.

 The vulnerability is also limited to reports displaying full URL
 and/or similar unbounded values provided by the client. That
 includes the reports:

  filedescriptors, objects, vm_objects, active_requests,
  client_list, and mem on certain systems.


 cachemgr.cgi tool displays its version number in the HTML page
 footer:

  All 2.x versions up to and including 2.7.STABLE9 are vulnerable.

  All 3.x versions up to and including 3.5.16 are vulnerable.

  All 4.x versions up to and including 4.0.8 are vulnerable.

  If your cachemgr.cgi does not display a version it is likely
  to be one of the older vulnerable versions.

__

Workaround:

 Use tools other than cachemgr.cgi, such as squidclient to view
 affected reports until the CGI tool can be patched or upgraded.

OR,

 In recent Squid versions use the HTTP management interface
 directly from the squid proxy to view affected reports.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was discovered independently by CESG and
 by Yuriy M. Kaminskiy.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2016-04-15 10:54:39 GMT Initial Report
 2016-04-20 03:54:54 GMT Patches Released
 2016-04-20 13:42:00 GMT Packages Released
 2016-04-20 15:47:01 GMT CVE Assigned
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY SQUID-2016:6 Multiple issues in ESI processing.

2016-04-21 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:6
__

Advisory ID:SQUID-2016:6
Date:   April 20, 2016
Summary:Multiple issues in ESI processing.
Affected versions:  Squid 3.x -> 3.5.16
Squid 4.x -> 4.0.8
Fixed in version:   Squid 3.5.17, 4.0.9
__

http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4054
CESG REF: 56284998 / VULNERABILITY ID: 393536
__

Problem Description:

 Due to buffer overflow issues Squid is vulnerable to a denial
 of service attack when processing ESI responses.

 Due to incorrect input validation Squid is vulnerable to public
 information disclosure of the server stack layout when processing
 ESI responses.

 Due to incorrect input validation and buffer overflow Squid is
 vulnerable to remote code execution when processing ESI
 responses.
__

Severity:

 These problems allow ESI components to be used to perform a
 denial of service attack on the Squid service and all other
 services on the same machine.

 Under certain build conditions these problems allow remote
 clients to view large sections of the server memory.

 However, the bugs are exploitable only if you have built and
 configured the ESI features to be used by a reverse-proxy and if
 the ESI components being processed by Squid can be controlled by
 an attacker.
__

Updated Packages:

 These bugs are fixed by Squid version 3.5.17 and 4.0.9.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.2:
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch>

Squid 3.3:
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch>

Squid 3.4:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch>

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

Use the command 'squid -v' to view version and build details of
your proxy;

 All Squid 2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid built without --enable-esi are not vulnerable.


Check squid.conf or use the (version 3.4+) command
  (squid -k parse 2>&1) | grep "Processing: http.*_port"
to view the active configuration settings for your proxy;

 Unpatched Squid 3.x and 4.x built with --enable-esi and
 configured with 'accel' or 'vhost' or 'defaultsite=' or
 'ssl-bump' on an http_port or https_port are vulnerable.

 All Squid configured without reverse-proxy or ssl-bump are
 not vulnerable.

__

Workaround:

 Build Squid with --disable-esi if ESI is not needed.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported by CESG.

 Fixed by Amos Jeffries, Treehouse Networks Ltd.

__

Revision history:

 2016-04-15 10:54:39 GMT Initial Report
 2016-04-20 03:54:54 GMT Patches Released
 2016-04-20 13:42:00 GMT Packages Released
 2016-04-20 15:47:01 GMT CVE Assigned
__
END

[squid-announce] Squid 4.0.10 beta is available

2016-05-09 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.10 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:7 - Cache poisoning issue in HTTP Request handling

http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
aka. CVE-2016-4553

 Due to incorrect data validation of intercepted HTTP Request
 messages Squid is vulnerable to clients bypassing the protection
 against CVE-2009-0801 related issues. This leads to cache
 poisoning.


* SQUID-2016:9 - Multiple Denial of Service issues in ESI.

http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
aka. CVE-2016-4555 and CVE-2016-4556.

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.


* Accumulate fewer unknown-size responses to avoid overwhelming disks.

Earlier Squid had the behaviour of accumulating large amounts of data in
RAM for unknown-size objects before deciding where to cache them. That
could result in the disk I/O controller and CPU being overwhelmed with
data write operations. In outward appearance Squid would 'hang' for a
short time, then recover. If the overall traffic loading was also very
high the traffic speed could drop noticeably.

This release improves the descision making process. It should result in
lower RAM requirements for some client transactions, and also smoother
disk I/O and CPU usage under high loads.


* Fix a shared memory corruption when storing multi-slot (>32KB) MISS

This is a recent regression in Squid-4.0.8. Other Squid releases are not
affected. It could have resulted in corrupt objects being stored into
disk cache, so erasing and rebuilding disk caches used by affected
Squid-4 is recommended.


 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.19 is available

2016-05-09 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.19 release!


This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.


The major changes to be aware of:


* SQUID-2016:7 - Cache poisoning issue in HTTP Request handling

http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
aka. CVE-2016-4553

 Due to incorrect data validation of intercepted HTTP Request
 messages Squid is vulnerable to clients bypassing the protection
 against CVE-2009-0801 related issues. This leads to cache
 poisoning.


* SQUID-2016:8 - Header smuggling issue in HTTP Request processing

http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
aka. CVE-2016-4554

 This problem allows a client to smuggle Host header value past
 same-origin security protections to cause Squid operating as
 interception or reverse-proxy to contact the wrong origin
 server. Also poisoning any downstream cache which stores the
 response.

 However, the cache poisoning is only possible if the caching
 agent (browser or explicit/forward proxy) is not following RFC
 7230 processing guidelines and lets the smuggled value through.

 Note that all releases of Squid up to and including this one do not
 follow that recently added RFC guideline.


* SQUID-2016:9 - Multiple Denial of Service issues in ESI.

http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
aka. CVE-2016-4555 and CVE-2016-4556.

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.

 Due to unrelated changes Squid-3.5 has become vulnerable to some
 regular ESI server responses also triggering one or more of these
 issues.


* Bug 4498: URL-unescape the login-info after extraction from URI

This bug shows up as the encoded form of credentials that are
URL-escaped being delivered to the authentication helpers or relayed to
FTP servers if in ftp:// URL when the un-escaped form is needed. It
commonly affects credentials which contain characters other than plain
ASCII alphanumerics.


* TLS: Fix SSL alert message and session resume handling

Pevious Squid did not handle SSL/TLS server responses that start with an
SSL Alert Record and also fails to detect and handle resuming sessions.


* Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program

Previous Squid would always send the "-b" command line option to its
certificate generator helper. If the installation was using a custom
helper, this could lead to very annoying issues.



 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:7 Cache poisoning issue in HTTP Request handling

2016-05-09 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:7
__

Advisory ID:SQUID-2016:7
Date:   May 06, 2016
Summary:Cache poisoning issue
in HTTP Request handling
Affected versions:  Squid 3.2.0.11 -> 3.5.17
Squid 4.x -> 4.0.9
Fixed in version:   Squid 3.5.18, 4.0.10
__

http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4553
__

Problem Description:

 Due to incorrect data validation of intercepted HTTP Request
 messages Squid is vulnerable to clients bypassing the protection
 against CVE-2009-0801 related issues. This leads to cache
 poisoning.

__

Severity:

 This problem is serious because it allows any client, including
 browser scripts, to bypass local security and poison the proxy
 cache and any downstream caches with content from an arbitrary
 source.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.18 and 4.0.10.

 In addition, a patch addressing this problem for the stable
 release can be found in our patch archives:

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

Use the command 'squid -v' to view version and build details of
your proxy;

 All Squid 2.x are not vulnerable.

 All Squid-3.x up to and including 3.2.0.10 are not vulnerable.

 All Squid-3.2.0.11 and later versions up to and including 3.5.17
 are vulnerable.

 All Squid-4.x up to and including 4.0.9 are vulnerable.

__

Workaround:

 Add to squid.conf:
   client_dst_passthru off

And,

 Remove any use of "host_verify_strict" directive.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported by Jianjun Chen from Tsinghua
 University.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2016-04-15 10:54:39 UTC Initial Report
 2016-05-02 10:51:18 UTC Patch Released
 2016-05-06 13:12:00 UTC Packages Released
 2016-05-06 14:46:41 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:8 Header smuggling issue in HTTP Request processing

2016-05-09 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:8
__

Advisory ID:SQUID-2016:8
Date:   May 06, 2016
Summary:Header smuggling issue
in HTTP Request processing
Affected versions:  Squid 1.x -> 3.5.17
Fixed in version:   Squid 3.5.18
__

http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554
__

Problem Description:

 Due to incorrect input validation Squid is vulnerable to a header
 smuggling attack leading to cache poisoning and to bypass of
 same-origin security policy in Squid and some client browsers.

__

Severity:

 This problem allows a client to smuggle Host header value past
 same-origin security protections to cause Squid operating as
 interception or reverse-proxy to contact the wrong origin
 server. Also poisoning any downstream cache which stores the
 response.

 However, the cache poisoning is only possible if the caching
 agent (browser or explicit/forward proxy) is not following RFC
 7230 processing guidelines and lets the smuggled value through.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.18

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.1:
 <http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch>

Squid 3.2:
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch>

Squid 3.3:
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch>

Squid 3.4:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch>

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

  All 2.x versions up to and including 2.7.STABLE9 are vulnerable.

  All 3.x versions up to and including 3.5.17 are vulnerable.

  All 4.x versions are not vulnerable.

__

Workaround:

 There are no workarounds for this problem.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The vulnerability was reported by Jianjun Chen from Tsinghua
 University.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2016-04-26 09:29:13 UTC Initial Report
 2016-05-02 03:39:35 UTC Patches Released
 2016-05-06 13:12:00 UTC Packages Released
 2016-05-06 14:46:41 UTC CVE Assignment
 2016-05-08 12:45:58 UTC Patches Updated
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:9 Multiple Denial of Service issues in ESI Response processing.

2016-05-09 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:9
__

Advisory ID:SQUID-2016:9
Date:   May 06, 2016
Summary:Multiple Denial of Service issues
in ESI Response processing.
Affected versions:  Squid 3.x -> 3.5.17
Squid 4.x -> 4.0.9
Fixed in version:   Squid 4.0.10, 3.5.18
__

http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556
__

Problem Description:

 Due to incorrect pointer handling and reference counting Squid is
 vulnerable to a denial of service attack when processing ESI
 responses.

__

Severity:

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.

 Due to unrelated changes Squid-3.5 has become vulnerable to some
 regular ESI server responses also triggering one or more of these
 issues.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.18 and 4.0.10.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.4:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch>

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid-3.0 versions built without --enable-esi are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and used for
 reverse-proxy are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.17 being used for reverse-proxy are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.17 being used for TLS / HTTPS interception are
 vulnerable.

 All unpatched Squid-4.0 up to and including Squid-4.0.9
 being used as reverse-proxy are vulnerable.

 All unpatched Squid-4.0 up to and including Squid-4.0.9
 being used as TLS/HTTPS intercept proxy are vulnerable.

__

Workaround:

 Build Squid with --disable-esi

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The initial issue was reported by "bfek-18".

 Additional issues and attack vector was reported by "@vftable".

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2016-03-02 15:12:12 UTC Initial Report
 2016-05-01 23:48:27 UTC Additional Issue Report
 2016-05-06 09:39:48 UTC Patches Released
 2016-05-06 13:12:00 UTC Packages Released
 2016-05-06 14:46:41 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.11 beta is available

2016-06-13 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.11 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* HTTP/1.1: unfold mime header block

HTTP/1.0 allowed headers to be whitespace folded, which can lead to
problems like CVE-2016-4553 fixed in the previous release. RFC 7230 for
HTTP/1.1 now prohibits the practice and requires proxies to remove the
folding. This release of Squid does so and thus hardens all HTTP traffic
flowing through it against such attacks.

The squidclient tool -H option has also been extended to accept more
shell-escape characters which are useful in testing for those type of
issues.


* HTTP/1.1 chunked encoding improvements

 - Bug #4492: chunked parser needs to accept BWS after chunk size

This fixes issues interoperating with IBM servers which have been
identified as sending whitespace padding in the chunked encoding size
field when they should not.

 - Allow chunking the last HTTP response on a connection.

Previous Squid did not use chunked encoding when prior knowledge
indicated that the connection was to be closed immediately after the
message payload. This made some sense in reducing workload and delays,
but also leads to difficulty identifying connection related errors
sending those objects.

Squid will now always chunked encode messages with unknown length
payloads. This should reduce the number of unexpectedly hung connections
or truncated objects.


* TLS improvements

This release adds significant performance improvements to the SSL-Bump
features 'peek' action locating client handshake details such as SNI.

Initial experimental GnuTLS support for some functionality within the
squid binary has been turned on. squid.conf settings which have been
renamed in Squid-4 to begin with 'tls' rather than 'ssl' moniker have
GnuTLS support as well as OpenSSL support.
 However, be aware that only a very limited set of background actions
actually use GnuTLS. The most visible effect is squid.conf support.
Features such as listening https_port's, ssl-bump and TLS connections
still require OpenSSL.


* ie_refresh directive is removed

This directive was a workaround hack for MSIE 3, 4 and 5 behaviour.
Since those browser versions appear to be no longer in any significant
amount of use this hack has been removed to simplify HTTP message
processing.


* Deprecating SMB LanMan helpers

The SMB LanMan helpers have now been removed from the set which are
auto-detected and built by default. For the present their code is
retained and can be built by explicitly listing "SMB_LM" in the Basic or
NTLM authentication helpers list.

The LanMan authentication protocols were deprecated sometime around
1996. Any installations still using either of these helpers are
strongely encouraged to upgrade to another authentication system.


* Memory allocation bugs

Several more issues in the deep memory allocation layer of Squid have
been resolved. Most of these probably show up as error when free'ing
memory. We expect this to greatly stabilize Squid-4 in many environments
which have had memory related troubles with the Squid-3 series.



 All users of Squid-4.0.x are encouraged to upgrade to this release.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.20 is available

2016-07-04 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.20 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* Fix icons loading speed.

This bug had the annoying result of making Squid startup or restart very
slow. All installations should see a few seconds shaved off startup and
restart.


* Do not allow low-level debugging to hide important/critical messages.

Due to the way debugging log records were produced in previous Squid it
was possible for some important or critical messages containing
complicated mesage to become hidden.

Please note that if this version suddenly starts reporting high level
errors previously unseen it may not be a regression, but simply that you
were not seeing them before.


* Support unified EUI format code in external_acl_type.

Squid supports %>eui as a logformat specifier, which produces an EUI-48
for IPv4 clients and an EUI-64 for IPv6 clients. This adds that format
specifier for use in the external ACLs format.


* Fixed ConnStateData::In::maybeMakeSpaceAvailable() logic.

This hopefully resolves some nasty performance behaviours with large
objects where Squid would eventually degrade down to a slow speed
sending many small packets.



 All users of Squid-3 are encouraged to upgrade to this release as
time permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.13 beta is available

2016-08-08 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.13 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* HTTP/1.1: Update all stored headers on 304 revalidation.

Previous specifications for HTTP outlined a limited number of headers
that could be updated by 304 responses to a small set related to
revalidation. The latest RFC 7234 specification removes those limits and
permits custom headers, or content headers to be altered by a 304 response.


* TLS Authority Key Identifier certificate extension

The Server TLS certificate mimic feature now supports mimicking this TLS
extension in Squid generated TLS certificates if possible.


* Collapse internal revalidation requests (SMP-unaware caches).

Prior to these changes, multiple concurrent HTTP requests for the same
stale cached object always resulted in multiple internal revalidation
requests sent by Squid to the origin server. Those internal requests
were likely to result in multiple competing Squid cache updates, causing
cache misses and/or more internal revalidation requests, negating
collapsed forwarding savings.


* kerberos_ldap_group: support SSL/TLS used to connect to an LDAP server

This release of the helper extends and updates the use of TLS/SSL to
support connecting to an LDAP server.


* General portability and stability changes

This release also includes a large number of code polishing and cleanup
changes too small to mention individually, but which resolve a lot of
portability and build issues.



 All users of Squid-4.0.x are encouraged to upgrade to this release.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.21 is available

2016-09-11 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.21 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* Bug #4534: assertion failure in xcalloc when using many cache_dir

Squid is documented as supporting up to 64 cache directories, but would
crash with a memory allocation error if more than a few were actually
configured.


* Bug #4542: authentication credentials IP TTL updated incorrectly

This bug caused error in max_user_ip ACL accounting to allow clients to
shift IP address more times than configured. This bug fix may have an
effect on IPv6 clients using "proviacy adressing" to rotate IPs.


* Bug #4428: mal-formed Cache-Control:stale-if-error header

This bug shows up as incorrect stale-if-error values being relayed by
Squid breaking the use of this feature in the recipients. Squid now
relays the header values correctly.


* Bug #3025: Proxy-Authenticate problem using ICAP server

With this change Squid now treats the ICAP REQMOD adaptation point as a
part of itself with regards to proxy authentication. The
Proxy-Authentication header received from the client is delivered as
part of the HTTP request headers in expectation that the ICAP service
may authenticate and/or produce 407 response itself.

Note that use of stateful or connection-oriented authentication schemes
is not possible. HTTP is designed to operate in a stateless way and any
deviation from that design requires Squid to perform special message
processing.


* HTTP: MUST always revalidate Cache-Control:no-cache responses.

This bug shows up as Squid not revalidating some responses until they
became stale according to refresh_pattern heuristic rules (specifically
the minimum caching age). Squid now revalidates these objects on every
request.


* HTTP: do not allow Proxy-Connection to override Connection header

The Proxy-Connection: header is a long-deprecated experimental header.
For the past decade Squid has been actively stripping it out of relayed
traffic. This release continues the removal process by also preventing
it from having any effect on Squid client connection persistence when a
Connection: header is present.


* SSL CN wildcard must only match a single domain component [fragment].

This bug shows up as incorrect matching (or non-matching) of the
ss::server_name ACL against TLS certificate values. Squid now treats the
certificate CN fields according to X.509 domain matching requirements
instead of HTTP domain matching requirements.



 All users of Squid-3 are encouraged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.14 beta is available

2016-09-11 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.14 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* Bugs #4404 and #4503: access.log responses marked _ABORTED

The past few Squid-4 releases have incorrectly logged several
transaction types as ABORTED. This hopefully resolves the
remaininginstances of that behaviour.


* Make Squid death due to overloaded helpers optional

Previous Squid versions would halt the entire Squid process if a helper
became too non-responsive and its lookup queue became overloaded. This
release allows the Squid handling behaviour to be configured to simulate
an ERR helper response instead of always halting.


* Crashes on shutdown

The Squid shutdown process when set to a short timeout was crashing
while cleaning up idle ICAP connections. This resolves the ICAP issues,
however some other sources of shutdown crash still remain to be fixed.



* Various HTTP/1.1 compliance updates

Previous Squid releases have a number of compliance issues with RFC 7230
updated HTTP specifications. This release fixes several issues involved
with detecting invalid message framing and required error reponse
generation.


* General portability and stability changes

This release also includes a large number of code cleanup fixes too
small to mention individually, but which resolve a lot of portability
and build issues.

The release size appears to be very large, however the majority of
alterations are in documentation and translation updates for Squid-4.



 All users of Squid-4.0.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.15 beta is available

2016-10-12 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.15 release!


This release is a bug fix and stability release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

This release there are no major changes. Despite the size of code
commited most of the change has been small polishing and stability
changes. Some incidental and minor memory leaks have been resolved, and
some crashes introduced by the new Squid-4 features have been resolved.


One change shared with 3.5.22 is noteworthy as it affects cache storage
formats:

* Bug #4471: revalidation doesn't work when expired cached object lacks
  Last-Modified header.

Historically Squid used only Last-Modified header value for evaluating
entry's last modification time while making an internal revalidation
requests. So, without Last-Modified it was not possible to correctly
fill the If-Modified-Since header value. Which would result in many
unnecessary MISS. This release now uses Date header to synthesize a
Last-Modified value if none is provided.

IMPORTANT:
This change affects a binary difference in all cache objects stored by
Squid-4.0.15 or later, and by Squid-3.5.22 or later.
 * When upgrading, older cache content is handled automatically.
 * When downgrading for any reason to an older version the cache will
need to be erased and rebuilt from empty to remove those new objects.


 All users of Squid-4.0.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.22 is available

2016-10-12 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.22 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Bug #4471: revalidation doesn't work when expired cached object lacks
  Last-Modified header.

Historically Squid used only Last-Modified header value for evaluating
entry's last modification time while making an internal revalidation
requests. So, without Last-Modified it was not possible to correctly
fill the If-Modified-Since header value. Which would result in many
unnecessary MISS. This release now uses Date header to synthesize a
Last-Modified value if none is provided.

IMPORTANT:
This change affects a binary difference in all cache objects stored.
 * When upgrading, older cache content is handled automatically.
 * When downgrading for any reason to an older version the cache will
need to be erased and rebuilt from empty to remove those new objects.


* Bug #4228: ./configure bug/typo

This bug caused Squid ./configure script to incorrectly fail to detect
missing but required Heimdal and GNU GSS Kerberos libraries. Squid would
build as if it were successful, then not provide the expected Kerberos
support and helpers.


* Bug #3819: "fd >= 0" assertion in file_write() during reconfiguration

This bug shows up as UFS code hitting assertions if it has to log
entries or rebuild swap.state during reconfiguration steps.

Asynchronous UFS cache_dirs such as diskd were the most exposed, but
even blocking UFS caching code could probably hit [rebuild] assertions.
The swap.state rebuilding (always initiated at startup) probably did not
work as intended if reconfiguration happened during the rebuild time
because reconfiguration closed the swap.state file being rebuilt.

Squid now protects that swap.state file and delays rebuilding progress
until reconfiguration is over. There may be other related issues still
present.


* Bug #2833: Collapse internal revalidation requests
  (SMP-unaware caches)

This feature extends Collapsed Forwarding to internal revalidation
requests. This implementation does not support Vary-controlled cache
objects and is limited to SMP-unaware caching environments, where each
Squid worker knows nothing about requests and caches handled by other
workers.

Prior to these changes, multiple concurrent HTTP requests for the same
stale cached object always resulted in multiple internal revalidation
requests sent by Squid to the origin server. Those internal requests
were likely to result in multiple competing Squid cache updates, causing
cache misses and/or more internal revalidation requests, negating
collapsed forwarding savings.


* Bug #4302 pt2: IPFilter v5 transparent interception

This bug showed up as NAT lookup failures or strange IP values being
returned when IPv6 traffic was intercepted using IPFilter.


* Fix logged request size (%http::>st) and other size-related %codes.

Squid was previously logging how many bytes it expected the size of HTTP
responses to be. Not the actual transferred sizes. On large aborted
objects it may be wildly wrong.
Also, the %http:: codes used in ICAP logs are related to the HTTP
message being delivered over ICAP, not the ICAP message.



 All users of Squid-3 are encouraged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid Signing key rollover

2016-10-28 Thread Amos Jeffries 
The PGP key I use to sign Squid binaries and associated files is being
refreshed.

Squid-4.0.16 and later releases will be signed with the key;

 Email: Amos Jeffries (Squid Signing Key) 
 Fingerprint: B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E

 This new Squid-4 key has been signed by the Squid-3 key, and is
contained in the Squid Project keyring which can be downloaded from
<http://www.squid-cache.org/pgp.asc>

 It should also be found in the pool.sks-keyservers.net public servers.


Squid-3 releases will continue to be signed with the existing key to the
end of that versions support.


As always the .asc file published for any signed item contains the key
IDs and other details relevant for verifying that item.

If any issues are encountered please do not hesitate to contact me.

Amos Jeffries
The Squid Software Foundation
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.16 beta is available

2016-10-30 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.16 release!


This release is a bug fix and stability release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:


* Regex ACL performance improvement

The code loading regex ACL data has been refactored. The result has been
a surprisingly large improvement in speed when loading configuration
files containing regex ACLs with many values.


* HTTP: initial support for Cache-Control:immutable

The 'immutable' Cache-Control value is a new experimental caching
control which allows servers to indicate certain responses are not going
to change during their freshness lifetime. It is an improved version the
refresh_pattern 'ignore-reload' option.

NP: the 'ignore-reload' option remains until this control is fully
standardised. It is expected to become increasingly useless as wider use
of 'immutable' grows amongst servers.


Some changes shared with the future 3.5.23 release are noteworthy:

* Bug #4627: fix generate-host-certificates default

The squid.conf documentation has for some time said that this feature
was enabled by default. That was incorrect for Squid-3 and previous
Squid-4 releases.

This release actually enables the certificate generator by default in
Squid-4.


* HTTP: support Vary:* caching

Under RFC 2616 responses containing "Vary: *" header were not cachable.
That requirement has been loosened by RFC 7231 and Squid is now able to
cache these responses.


* ssl::server_name ACL badly broken since inception

The original server_name code mishandled all SNI checks and some rare
host checks. This was most visible with the reports that the
ssl::server_name ACL tests would fail where the equivalent regex ACL
test would behave differently, usually by matching. Or in situations
where neither would match despite the value appearing to be available.


 All users of Squid-4.0.x with ACL type ssl::server_name or
ssl::server_name_regex should upgrade to this release and re-test for
desired SSL-Bump feature behaviour.

 All users of Squid-4.0.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.17 beta is available

2016-12-17 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.17 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* SQUID-2016:10 Information disclosure in Collapsed Forwarding
 <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.

This problem only affects Squid configured to use the Collapsed
Forwarding feature. It is of particular importance for HTTPS
reverse-proxy sites with Collapsed Forwarding.

This problem is present on all 3.5 releases, though 3.5.22 is hit worst
due to the collapsed revalidation extension increasing the scope of
traffic which can be collapsed.


* SQUID-2016:11 Information disclosure in HTTP Request processing
 <http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.

This vulnerability is present in all Squid-3.1 and later versions. The
only known workaround is to prevent caching entirely, which is far from
ideal.


* TLS: Support tunneling of bumped non-HTTP traffic

Previously, the use of "on_unsupported_protocol tunnel" resulted in
encrypted HTTP 400 (Bad Request) messages sent to clients that do not
speak HTTP(S). Such as Skype groups, which appear to use TLS-encrypted
MSNP protocol instead of HTTPS.

This Squid allows admins using SslBump to tunnel Skype groups and
similar non-HTTP traffic bytes via "on_unsupported_protocol tunnel all".



 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:10 - Information disclosure in Collapsed Forwarding

2016-12-17 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:10
__

Advisory ID:SQUID-2016:10
Date:   Dec 16, 2016
Summary:Information disclosure
in Collapsed Forwarding.
Affected versions:  Squid 3.5 -> 3.5.22
Squid 4.0 -> 4.0.16
Fixed in version:   Squid 4.0.17, 3.5.23
__

http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
__

Problem Description:

 Due to incorrect comparsion of request headers Squid can deliver
 responses containing private data to clients it should not have
 reached.

__

Severity:

 This problem allows a remote attacker to discover private and
 sensitive information about another clients browsing session.
 Potentially including credentials which allow access to further
 sensitive resources.

 This problem only affects Squid configured to use the Collapsed
 Forwarding feature.

 It is of particular importance for HTTPS reverse-proxy sites
 with Collapsed Forwarding.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.23 and 4.0.17.

 In addition, patches addressing this problem can be found in our
 patch archives:

Squid 3.5 (excluding 3.5.22):
 

Squid 3.5.22:
 

Squid 4.0:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid-2.x have not been tested.


 The following command can be used to determine if Squid-3 or
 later have collapsed_forwarding in squid.conf:

  (squid -k parse 2>&1) | grep collapsed_forwarding


 All Squid-3.x versions without collapsed_forwarding configured
 are not vulnerable.

 All Squid-3.5 versions with 'collapsed_forwarding off'
 configured are not vulnerable.

 All Squid-3.5 versions up to and including Squid-3.5.22 with
 'collapsed_forwarding on' configured are vulnerable.

 All Squid-4.0 versions without collapsed_forwarding configured
 are not vulnerable.

 All Squid-4.0 versions with 'collapsed_forwarding off'
 configured are not vulnerable.

 All Squid-4.0 versions up to and including Squid-4.0.16 with
 'collapsed_forwarding on' configured are vulnerable.

__

Workaround:

 Remove all uses of 'collapsed_forwarding' from squid.conf and
 included sub-files.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This issue was reported by Felix Hassert from Sevenval
 Technologies GmbH.

 Fixed by Eduard Bagdasaryan from Measurement Factory.

__

Revision history:

 2016-11-28 17:28:43 UTC Initial Report
 2016-12-16 18:37:00 UTC Packages Released
__
END

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.23 is available

2016-12-17 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.23 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* SQUID-2016:10 Information disclosure in Collapsed Forwarding
 <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.

This problem only affects Squid configured to use the Collapsed
Forwarding feature. It is of particular importance for HTTPS
reverse-proxy sites with Collapsed Forwarding.

This problem is present on all 3.5 releases, though 3.5.22 is hit worst
due to the collapsed revalidation extension increasing the scope of
traffic which can be collapsed.


* SQUID-2016:11 Information disclosure in HTTP Request processing
 <http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially
including credentials which allow access to further sensitive resources.

This vulnerability is present in all Squid-3.1 and later versions. The
only known workaround is to prevent caching entirely, which is far from
ideal.


* Bug #4169: HIT marked as MISS when If-None-Match does not match
* Bug #3940: Host verify failures MISS when they should be HIT
* Bug #3533: Cache still valid after HTTP/1.1 303 See Other
* Bug #2258: bypassing cache but not destroying cache entry

These bugs all share a common thread of reducing cache efficiency. This
Squid will now leave existing cache content in place for use unless the
new client response is able to be shared with other clients. Some of
these bugs are only partially fixed so further improvements may be possible.


* HTTP/1.1: make Vary:* objects cacheable

Under RFC 2616 responses containing "Vary: *" header were not cachable.
That requirement has been loosened by RFC 7231 and Squid is now able to
cache these responses.


* ssl::server_name ACL badly broken since inception

The original server_name code mishandled all SNI checks and some rare
host checks. This was most visible with the reports that the
ssl::server_name ACL tests would fail where the equivalent regex ACL
test would behave differently, usually by matching. Or in situations
where neither would match despite the value appearing to be available.


* TLS: Make key= before cert= an error instead of quietly hiding the issue

Previous versions of Squid would accept the TLS/SSL key= parameter being
configured first before cert= parameter. But would then silently discard
the key settings when loading the cert file. This would lead to
unexpected behaviour or obscure 'permission' errors.

This release will now produce a FATAL error and halt if configured with
a key= parameter before its matched cert= parameter.



 All users of Squid-3 are urged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2016:11 - Information disclosure in HTTP Request processing

2016-12-17 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2016:11
__

Advisory ID:SQUID-2016:11
Date:   Dec 16, 2016
Summary:Information disclosure
in HTTP Request processing.
Affected versions:  Squid 2.6 -> 2.7.STABLE9
Squid 3.1 -> 3.5.22
Squid 4.0 -> 4.0.16
Fixed in version:   Squid 4.0.17, 3.5.23
__

http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
__

Problem Description:

 Due to incorrect HTTP conditional request handling Squid can
 deliver responses containing private data to clients it should
 not have reached.

__

Severity:

 This problem allows a remote attacker to discover private and
 sensitive information about another clients browsing session.
 Potentially including credentials which allow access to further
 sensitive resources.

__

Updated Packages:

 This bug is fixed by Squid version 3.5.23 and 4.0.17.

 In addition, patches addressing this problem can be found in our
 patch archives:

Squid 3.1:
 

Squid 3.2:
 

Squid 3.3:
 

Squid 3.4:
 

Squid 3.5:
 

Squid 4.0:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x versions are not vulnerable.

 All Squid-3.0 are not vulnerable.

 All Squid-3.1 versions up to and including 3.1.9 are not
 vulnerable.

 All Squid-3.1 versions 3.1.10 and later are vulnerable.

 Squid-3.2.0.1 and 3.2.0.2 are not vulnerable.

 All Squid-3.2 versions 3.2.0.3 and later are vulnerable.

 All Squid-3.3 versions are vulnerable.

 All Squid-3.4 versions are vulnerable.

 All Squid-3.5 versions up to and including Squid-3.5.22 are
 vulnerable.

 All Squid-4.0 versions up to and including Squid-4.0.16 are
 vulnerable.

__

Workaround:

 The only workaround known is to disable caching, including
 memory cache. In squid.conf set:

   cache deny all
   cache_mem 0

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This issue was reported by Saulius Lapinskas from Lithuanian
 State Social Insurance Fund Board.

 Fixed by Garri Djavadyan from iPlus LLC (Comnet ISP).

__

Revision history:

 2014-12-30 12:44:32 UTC Initial Report
 2016-12-16 18:37:00 UTC Packages Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.24 is available

2017-01-30 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.24 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

Recent alterations to the SSL-Bump feature logic were found to be
breaking the measure put in place to disable TLS renegotiation.
Since some TLSv1.2+ mechanisms actively require it and the upcoming
OpenSSL v1.1+ make it quite hard to disable, we have decided to mitigate
the vulnerability by implementing a rate limit on renegotiation instead
of an outright disable.


* SSLv2 records force SslBump bumping despite a matching step2 peek rule.

This bug shows up as SSLv2 connections being bumped to deliver an error
when they should have been spliced as configured. Squid will now splice
all connections it has been configured to regardless of whether the
obsolete SSLv2 syntax is being used.
 When bumping or receiving the connection itself Squid will still reject
SSLv2. Only spliced traffic is affected by this.


* Update External ACL helpers error handling and caching

The Squid helper protocol has undergone several important changes but
the external ACL logic and bundled helpers have not kept up. The ACL
logics handling helper replies also had some bugs in the event of helper
failures.

This release fixes those various bugs and updates all the bundled
helpers to make use of the BH (BrokenHelper) status to signal internal
errors differently to ACL denial.


* Bug #3940 pt2: Make 'cache deny' do what is documented

There was a small regression in 3.5.23 release fix for bug 3940. The
'cache deny' rules were not being obeyed. Surprisingly this has had no
complaints.

Perhapse that is a sign that anyone using 'cache deny' rules should
reasses whether those rules are still useful in these latest Squid releases.



 All users of Squid-3 are encouraged to upgrade to this release as
soon as possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.18 beta is available

2017-02-12 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.18 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* OpenSSL v1.1 support

Many compile issues when building with OpenSSL v1.1.* have been
resolved. The way this was fixed has uncovered a bug in the LibreSSL
library - so LibreSSL will no longer build with Squid-4.


* squidclient TLS debugging

The squidclient tool when built with GnuTLS has HTTPS support. This
version extends the -v debugging mechanism to also produce debug
information from the GnuTLS library about TLS operations.


There are also some major behaviour changes shared with Squid-3.5 which
are included in this release:

* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

Recent alterations to the SSL-Bump feature logic were found to be
breaking the measure put in place to disable TLS renegotiation.
Since some TLSv1.2+ mechanisms actively require it and the upcoming
OpenSSL v1.1+ make it quite hard to disable, we have decided to mitigate
the vulnerability by implementing a rate limit on renegotiation instead
of an outright disable.


* SSLv2 records force SslBump bumping despite a matching step2 peek rule.

This bug shows up as SSLv2 connections being bumped to deliver an error
when they should have been spliced as configured. Squid will now splice
all connections it has been configured to regardless of whether the
obsolete SSLv2 syntax is being used.

When bumping or receiving the connection itself Squid will still reject
SSLv2. Only spliced traffic is affected by this.


* Update External ACL helpers error handling and caching

The Squid helper protocol has undergone several important changes but
the external ACL logic and bundled helpers have not kept up. The ACL
logics handling helper replies also had some bugs in the event of helper
failures.

This release fixes those various bugs and updates all the bundled
helpers to make use of the BH (BrokenHelper) status to signal internal
errors differently to ACL denial.



 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.25 is available

2017-04-07 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.25 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Bug 4508: Host forgery stalls intercepted being-spliced connections.

This bug shows up as SSL-Bumped connections being stuck in various TCP
open or half-open states and not closing until the TCP timeouts are reached.

Note, there are still other issues leading to the same behaviour and not
necessarily SSL-Bump related. This release works around the most common
issues affecting recent Squid-3 releases, but some remain and a better
long-term solution will be implemented later.


* Native FTP relay: NAT and TPROXY interception fixes

FTP Native relay is now able to cope with active-mode FTP DATA
connections when intercepting FTP traffic. Previously Squid would use
incorrect IP:port details which would not work with many clients.


* Bump SSL client on [more] errors encountered before ssl_bump evaluation

This bug shows up as error responses for issues encountered early in the
TLS/SSL handling being sent to clients unencrypted when Squid should
have bumped and delivered them encrypted.



 All users of Squid-3 with SSL-Bump functionallity are encouraged to
upgrade to this release as soon as possible.

 All other users of Squid-3 are encouraged to upgrade to this release as
time permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.19 beta is available

2017-04-07 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.19 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Bug #4671: various GCC 7 compile errors

GCC 7 adds a number of new warnings and behaviour checking that prevents
building older releases easily. This release fixes most of the issues
and should build most features. However, some more have been found since
release bundling.


* Fix two read-ahead problems related to delay pools (or lack of thereof).

Squid delays reading from the server after buffering read_ahead_gap
bytes that are not yet sent to the client. A delayed read is normally
resumed after Squid sends more buffered bytes to the client. However,
Squid was not resuming the delayed read after all Store clients were gone.


* Crypto-NG: initial GnuTLS support for encrypted server connections

This release adds support for servicing https:// URLs received from
clients, and TLS connections to cache_peer when built with GnuTLS.

Advanced GnuTLS TLS options= strings in squid.conf are significantly
different from OpenSSL options. See the release notes and squid.conf
documentation for specific details.

NOTE: https_port and SSL-Bump features are not yet supported with GnuTLS.


 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.20 beta is available

2017-06-13 Thread Amos Jeffries 
 mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.26 is available

2017-06-13 Thread Amos Jeffries 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.26 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Bug 4711: SubjectAlternativeNames is missing in some generated 
certificates


Previous releases of Squid were not able to generate valid mimic 
certificates from AltName server certificate field only. This leads to 
security error [missing_subjectAltName] in modern browsers (both 
Chrome/Firefox this time), and, net::ERR_CERT_COMMON_NAME_INVALID errors 
visible to users.



* Bug 4682: ignoring http_access deny when client-first bumping mode is used

This bug appears as Squid failing to identify some HTTP requests which 
are tunneled inside an already established client-first bumped tunnel, 
and this is results in ignoring http_access denied for these requests.



* Bug 4589: ssl_crtd: returning zero on failure

This bug has been affecting some init scripts that were depending on the 
tool return values to detect when it failed to initialize the 
certificate database. This does not resolve any initialization issues 
directly,  merely allows init scripts to be made aware of them before 
Squid is started.



* Bug 3102 and 3772: FTP directory listings display issues

These bugs appears as line wrap and path truncation errors in FTP 
directory listings from some FTP servers.



* OpenSSL support better compliance with license requirements

The OpenSSL license requires that all binaries which are built to 
utilize the library API (that includes any library derived from OpenSSL) 
must publicly advertise that OpenSSL or derivative library in all 
documentation detailing features of that software.


This release of Squid will now include the required OpenSSL 
advertisement on builds -v output where features are displayed. This is 
primarily intended as a way to easily identify which library is being 
used by Squid at run-time when multiple libraries are present on a system.


Please note even with this update Squid is still not directly compatible 
with the OpenSSL terms of distribution. Distributors of OpenSSL enabled 
Squid are required to ensure they meet both GPL and OpenSSL licensing 
requirements.




 All users of Squid-3 with SSL-Bump functionality are encouraged to
upgrade to this release as soon as possible.

 All other users of Squid-3 are encouraged to upgrade to this release as
time permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.21 beta is available

2017-07-09 Thread Amos Jeffries 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.21 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Regression Bug 4492: Chunk extension parser is too pedantic

With this fix Squid is back to ignoring some unusual message whitespace 
padding that senders should not have been doing, but which are generally 
harmless to the protocol. It is a regression specific to the Squid-4 
release series, not affecting any other installations.



* Bug 1961 partial: Redesign urlParse API

The core changes for redesign work is largely finished now. As a result 
this release should have much lower memory use on url_rewrite API 
lookups which choose not to rewrite the URL.



* Collapse security_file_certgen requests

This helper API now collapses identical parallel lookups into a single 
helper message to reduce load, latency and as a result reduce pressure 
on the system crypto services. It still has some issues, but should now 
cope a lot better with sudden load peaks as seen from Browsers starting up.



* SSL-Bump: tproxy does not spoof spliced connections

This release now performs TPROXY spoofing properly when SSL-Bump logic 
selects splice action. Prior SSL-Bump would behave as if NAT intercept 
was being used, by replacing the sender IP as Squid one.



* Add a basic apparmour profile

This release bundles a basic apparmour profile contributed by Ubuntu 
developers. As with init system scripts this profile is not installed by 
default, packagers wishing to use it should pull the file from the 
sources during packaging.



Several major bug fixes shared with the future Squid-3.5.27 release are 
also worth mentioning:


* Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.

In Squid-3 this bug appeared as "fd_table[conn->fd].halfClosedReader != 
NULL" assertions.


Admin who have used the various config workarounds or patches to 
suppress those assertions will need to re-asses those temporary measures 
after upgrading to this release.



* Bug 2833: collapsed forwarding doesn't work with NOT MODIFIED response

The security fix for CVE-2016-10003 had a negative effect on collapsed 
forwarding. All "private" entries were considered automatically 
non-shareable among collapsed clients. However this is not true: there 
are many situations when collapsed forwarding should work despite of 
"private" (non-cacheable) entry status: 304/5xx responses are good 
examples of that.


This release adds a mechanism to mark some non-cached responses as being 
able to share with collapsed forwarding.


These changes also involved fixing incorrect delivery of 304 responses 
to a client when Squid was the agent performing revalidation instead of 
the client.



* Bug 4112: ssl_engine does not accept cryptodev

This directive has been broken for quite a long time, failing to 
recognize any of the default OpenSSL engines. This release restores 
support for the OpenSSL engines feature.



* Fix SMP query handoff to Coordinator.

Several issues related to SMP messages to the coordinator process have 
been fixed. Some of these are likely to have been resulting in hung 
connections for SNMP and mgr transactions. Others were resulting in 
garbage messages arriving at the coordinator.




 All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.22 beta is available

2017-12-09 Thread Amos Jeffries 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.22 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Regression: Relay peer CONNECT error status line and headers to clients

Our CVE-2015-5400 fix was aggressive -- it hid all peer errors behind a 
generic 502 (Bad Gateway) response. The intent was never to have that 
situation be permanent.


Subsequent changes to the CONNECT handling now allow us to safely relay 
client response status and header - but not yet the message payloads. 
The clients TCP connection will continue to be closed immediately after 
the initial message headers are delivered, allowing clients to safely 
detect the missing response payload (if any) as a connection error in 
addition to any HTTP error indicated by the response status.


This should resolve a lot of client issues


* Bug 4767: SMP breaks IPv6 SNMP and cache manager queries

This rather nasty bug appears as a Squid with SMP workers crashing 
whenever SNMP or cache manager queries are received over IPv6.



* Bug 4648: object revalidation for HTTPS scheme

Previous Squid have not been performing cache revalidation for responses 
to https:// URL requests. As can be expected with the increased use of 
revalidation in HTTP/1.1 this leads to rather low caching efficiency and 
extra bandwidth consumption on a lot of traffic.



* Bug 4616: store_client.cc:92: "mem" assertion

This crash occurs primarily when Collapsed Forwarding was used, though 
may also occur at other rare times.



* Bug 2821: ignore Content-Range in non-206 responses

Squid used to honor Content-Range header in HTTP 200 OK (and possibly 
other non-206) responses, truncating (and possibly enlarging) some 
response bodies. RFC 7233 declares Content-Range meaningless for 
standard HTTP status codes other than 206 and 416. Squid now relays 
meaningless Content-Range as is, without using its value on these responses.



* TLS: certificate validation improvements


The experimental auto-download feature for missing CA certificates has 
now been optimized to skip downloading if the CA certificate has 
previously been downloaded, or can be validated using another issuer CA.


Also, when Squid or its helper could not validate a downloaded 
intermediate certificate (or the root certificate), Squid error page 
contained '[Not available]' instead of the broken certificate details, 
and '-1' instead of depth of broken certificate in logs.



* TLS: certificate generator improvements

SSL-Bump was found to be ignoring some origin server certificate changes 
or differences, incorrectly using the previously cached fake certificate 
(mimicking now-stale properties or properties of a slightly different 
certificate). Also, Squid was not detecting key collisions inside 
certificate caches.



* Fix backwards compatibility for Squid-3.5 external_acl_type formats

Previous Squid-4 releases omitted support for several external_acl_type 
format codes available in Squid-3. This has now been resolved and 
Squid-3 external_acl_type format configurations should remain working 
across an upgrade.



* Do not die silently when dying early

Squid previously could terminate silently- no log entries in cache.log 
nor syslog. If the reason for termination was due to some environment 
condition and discovered during the process environment setup. Squid 
should now catch these types of issues and deliver an error to the best 
available log output - usually that would syslog or the OS 'messages' 
log due to cache.log not being setup. If -X command line parameter is 
used stderr will be used instead.



* Docs: update translation files

As we are closing in on the final bug fixes for Squid-4 the i18n 
translation texts have been updated. This and other routine 
documentation additions form the majority of the size of this release 
difference from the previous release.



 All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@

[squid-announce] RFC: Squid ESI processor changes

2018-01-18 Thread Amos Jeffries 
The Squid team are planning to remove the Custom XML parser used for ESI 
processing from the next Squid version.


At first this seemed like a simple removal if unused functionality. 
However during review of the changes it turns out this functionality may 
be used in many situations when it should not have been.



Can people using ESI please provide answers for these questions:


What is your setting for esi_parser squid.conf directive?

 a) did not set it
 b) "expat"
 c) "libxml2"
 d) "custom"

If you answered (d), why choose that one?


If you answer (a) does setting it explicitly to either of the other 
parsers cause a large impact on your traffic performance?


  Yes/No

If yes, which did you choose?

 ... and how much of an impact was seen?



If you are not comfortable answering this to the squid-dev mailing list 
please feel free to send your responses directly to me.


Amos Jeffries
The Squid Software Foundation

___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.23 beta is available

2018-01-22 Thread Amos Jeffries 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.23 release!


This release is a security vulnerability and bug fix release resolving
several issues found in the prior Squid releases.


The major changes to be aware of:

* SQUID-2018:1 Denial of Service issue in ESI Response processing.

Squid would crash when receiving certain ESI syntax from its origin 
servers. This is particularly problematic for servers which only deliver 
the relevant syntax on uncommon responses so are not easily detected.


The SSL-Bump feature for HTTPS interception was entangled with 
reverse-proxy processing (and in some cases may still be). Making use of 
the SSL-Bump feature also at risk of encountering the responses from 
servers. Both splice and bump actions are affected.



The fix for Squid-4 is to remove the affected ESI custom parser 
entirely. The use of libxml2 or libexpat is now required for ESI 
support. The default behaviour is to auto-select the most preferred 
library built against.


Installations explicitly choosing "esi_parser custom" in their 
squid.conf will need to change to one of the above mentioned libraries.



Please see the accompanying ADVISORY for details on determining your 
proxy vulnerability and for patches applicable to older versions.



* SQUID-2018:2 Denial of Service issue in HTTP Message processing.

Squid generating ESI sub-requests and requests by the new auto-Download 
feature for intermediary TLS certificates could lead to crashes when 
preparing to log the transaction. This issue can be triggered on demand 
by clients.


Please see the accompanying ADVISORY for details on determining your 
proxy vulnerability and for patches applicable to older versions.



* Bug 4679: User names not sent to url_rewrite_program

This bug appeared as missing user name in url_rewrite_extras parameters 
to the re-writer program when that name was retrieved via an 
authorization mechanism instead of authorization. Specifically IDENT 
protocol or external ACL helpers.



* Bug 4631: security_file_certgen helper without disk cache

This helpers reliance on disk cache management can slow it down on some 
systems which are otherwise able to generate certificates fast. Running 
it purely from memory is now a possibility to avoid these performance 
issues. However, there is no memory cache as yet so this memory-only 
operation requires generating new certificates on every lookup.


Admin encountering significant speed issues with SSL-Bump are encouraged 
to try this helper behaviour. Others



* Nettle v3.4 support

The Nettle library API used by Squid has undergone several updates 
across its 3.3 and 3.4 releases which make recent Squid not able to 
build with these recent libraries.


This Squid now supports the Nettle-3.4 API, with backward compatibility 
provided if older Nettle versions are being used.



* Fix %These logformat macros/codes were not producing accurate outputs in 
certain transactions. Most issues were related to CONNECT tunnel 
transactions, although some issues occurred in other transactions. All 
known issues with these macros/codes are fixed in this Squid release.




 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2018:2 Denial of Service issue in HTTP Message processing

2018-01-22 Thread Amos Jeffries 

__

Squid Proxy Cache Security Update Advisory SQUID-2018:2
__

Advisory ID:SQUID-2018:2
Date:   Jan 19, 2018
Summary:Denial of Service issue
in HTTP Message processing.
Affected versions:  Squid 3.x -> 3.5.27
Squid 4.x -> 4.0.22
Fixed in version:   Squid 4.0.23
__

http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
__

Problem Description:

 Due to incorrect pointer handling Squid is vulnerable to denial
 of service attack when processing ESI responses or downloading
 intermediate CA certificates.

__

Severity:

 This problem allows a remote client delivering certain HTTP
 requests in conjunction with certain trusted server responses to
 trigger a denial of service for all clients accessing the Squid
 service.

__

Updated Packages:

 This bug is fixed by Squid version 4.0.23.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch>

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid configured with "log_uses_indirect_client off" are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.27 being used for reverse-proxy with squid.conf
 containing "log_uses_indirect_client on" are vulnerable.

 All Squid-4 up to and including Squid-4.0.22 being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All unpatched Squid-4 up to and including Squid-4.0.22 being
 used for TLS/HTTPS intercept proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

__

Workarounds:

 Configure "log_uses_indirect_client off" in squid.conf

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The initial issue was reported by Louis Dion-Marcil on behalf of
 GoSecure.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2017-12-13 20:09:30 UTC Initial Report
 2018-01-18 23:10:00 UTC Patches Released
 2018-01-21 07:45:00 UTC Advisory and fixed packages released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2018:1 Denial of Service issue in ESI Response processing

2018-01-22 Thread Amos Jeffries 

__

Squid Proxy Cache Security Update Advisory SQUID-2018:1
__

Advisory ID:SQUID-2018:1
Date:   Jan 19, 2018
Summary:Denial of Service issue
in ESI Response processing.
Affected versions:  Squid 3.x -> 3.5.27
Squid 4.x -> 4.0.22
Fixed in version:   Squid 4.0.23
__

http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
__

Problem Description:

 Due to incorrect pointer handling Squid is vulnerable to denial
 of service attack when processing ESI responses.

__

Severity:

 This problem allows a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.

 This problem is limited to the Squid custom ESI parser.
 Squid built to use libxml2 or libexpat XML parsers do not have
 this problem.

__

Updated Packages:

 This bug is fixed by Squid version 4.0.23.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_1.patch>

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_1.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid configured with "esi_parser expat" are not vulnerable.

 All Squid configured with "esi_parser libxml2" are not
 vulnerable.

 All Squid-3.0 versions built without --enable-esi are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and using
 custom ESI parser for reverse-proxy are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.27 being used for reverse-proxy are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.27 being used for TLS / HTTPS interception are
 vulnerable.

 All unpatched Squid-4 up to and including Squid-4.0.22 being
 used as reverse-proxy are vulnerable.

 All unpatched Squid-4 up to and including Squid-4.0.22 being
 used as TLS/HTTPS intercept proxy are vulnerable.

__

Workarounds:

Either;

 Build Squid with --disable-esi

Or,

 Build Squid with "--enable-esi --with-libxml2" and in squid.conf
 configure "esi_parser libxml2"

Or,

 Build Squid with "--enable-esi --with-expat" and in squid.conf
 configure "esi_parser expat"

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 The initial issue was reported by Louis Dion-Marcil on behalf of
 GoSecure.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2017-12-13 20:09:30 UTC Initial Report
 2018-01-18 23:10:00 UTC Patches Released
 2018-01-21 07:45:00 UTC Advisory and fixed packages released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.0.24 beta is available

2018-03-18 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.24 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* GnuTLS support for https_port

When built with GnuTLS instead of OpenSSL this Squid is now able to open
listening ports and receive HTTPS traffic in explicit proxy or reverse
proxy modes. SSL-Bump and intercept proxy are not yet supported.

With GnuTLS comes the ability to configure multiple static (or wildcard)
certificates for a single https_port. This ability is sadly not shared
by OpenSSL.

WARNING: A regression in handling of the cafile= option has been found
in this release. It may be resolved by combining the CA chain into the
PEM file configured with cert=.

With the new multi-cert support combining the certificate and its CA
chain in one PEM file becomes the new Best Practice configuration to
ensure the CA chain is associated only with the relevant certificate(s)
and keys.


* Fix SSL-Bump with an authentication type other than the Basic

This improves the Squid behaviour working with SSL-Bump'ed CONNECT
messages when the original CONNECT contained authentication credentials.

Earlier releases would unconditionally treat all such bumped traffic as
successfully authenticated. When a configuration used proxy_auth ACLs to
check access on a per-user basis or for methods other than the Basic
scheme that could incorrectly allow access to resources intended to be
hidden to some users.

This release now processes the proxy_auth ACL checks normally, but with
the CONNECT credentials so allow/deny can work as intended. ACL results
requiring re-authentication should act as an ACL non-match instead of
generating a re-authenticate challenge.


* Improved compiler support

This release fixes a number of compile errors seen with GCC-7 and
Clang-3.9 versions across several operating systems.

There are still a number of outstanding issues when building with the
latest GCC-8 versions. Fixes for those are expected to be in the next
release.



  All users of Squid-4.x are urged to upgrade to this release as
  soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
  for upgrades where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2018:3 Denial of Service issue in ESI Response processing.

2018-04-18 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2018:3
__

Advisory ID:SQUID-2018:3
Date:   April 18, 2018
Summary:Denial of Service issue
in ESI Response processing.
Affected versions:  Squid 3.1.12.2 -> 3.1.23
Squid 3.2.0.8 -> 3.2.14
Squid 3.3 -> 4.0.12
Fixed in version:   Squid 4.0.13
__

http://www.squid-cache.org/Advisories/SQUID-2018_3.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1172
__

Problem Description:

 Due to incorrect pointer handling Squid is vulnerable to denial
 of service attack when processing ESI responses.

__

Severity:

 This problem allows a remote server delivering ESI responses
 to trigger a denial of service for all clients accessing the
 Squid service.

 This problem is limited to Squid operating as reverse proxy.

__

Updated Packages:

 This bug is fixed by Squid version 4.0.13.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x and older are not vulnerable.

 All Squid-3.0 and older version are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid-3.x versions up to and including 3.4.14 built with
 --disable-ssl are not vulnerable.

 All Squid-3.x versions up to and including 3.4.14 built without
 --enable-ssl are not vulnerable.

 All Squid-3.x versions up to and including 3.5.27 built without
 --enable-esi are not vulnerable.

 All Squid-3.1.12.2 and later versions up to and including
 Squid-3.1.23 built with --enable-esi and--enable-ssl, and being
 used for reverse-proxy are vulnerable.

 All Squid-3.2.0.8 and later versions up to and including
 Squid-3.2.14 built with --enable-esi and --enable-ssl, and being
 used for reverse-proxy are vulnerable.

 All Squid-3.3 and later versions up to and including
 Squid-3.3.14 built with --enable-esi and --enable-ssl, and being
 used for reverse-proxy are vulnerable.

 All Squid-3.4 and later versions up to and including
 Squid-3.4.14 built with --enable-esi and --enable-ssl, and being
 used for reverse-proxy are vulnerable.

 All Squid-3.5 versions up to and including 3.5.27 built without
 --with-openssl are not vulnerable.

 All Squid-3.5 and later versions up to and including 3.5.27 built
 with --enable-esi and --with-openssl, and being used for
 reverse-proxy are vulnerable.

 All Squid-4 versions up to and including 4.0.12 built without
 --with-openssl are not vulnerable.

 All Squid-4 versions up to and including 4.0.12 built with
 --with-openssl and being used for reverse-proxy are vulnerable.

__

Workarounds:

Either;

 Build Squid with --disable-esi

Or,

 Build Squid-3.1 to 3.4.14 or later with "--disable-ssl"

Or,

 Build Squid-3.5 or later with "--without-openssl"

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Michael Marshall of Trend
 Micro working with Trend Micro's Zero Day Initiative.

 Fixed by Christos Tsantilas on behalf of Measurement Factory.

__

Revision history:

 2018-04-16 18:20:15 UTC Initial Report
 2018-04-16 22:02:25 UTC Patches Released
 2018-04-18 12:28:00 UTC Advisory Released
_

[squid-announce] Squid 4.0.25 beta is available

2018-06-16 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.25 release!


This release is a bug fix and stability release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* Various regressions

 - Bug 4855: querying private entries for HTCP/ICP
 - Bug 4852: deny_info %R macro not being expanded
 - Bug 4847: proxy_auth ACL -i/+i flags not working
 - Bug 4831: filter chain certificates for validity when loading
 - Regression fix: Transient reader locking broken in 4.0.24

These are all fairly recent regressions, mostly found in the 4.0.24
release with some from earlier. Anyone having issues with these in older
betas please upgrade to this release.


* Bug 4845: NegotiateSsl crash on aborting transaction

This bug has been plaguing people since at least Squid-3.3. It has
turned out to be a timing race between TCP connection closure and the
TLS handshake callback event. As such it appears with unpredictable
times and varying frequency. Being most problematic at high traffic loads.


* Bug 4829: IPC shared memory leaks when disker queue overflows

This issue only affects proxies under high load. It was showing up as
"run out of shared memory pages for IPC I/O" errors in the logs at peak
traffic times and may have required a restart of Squid to recover normal
behaviour.


* Bug 4816: update negotiate_kerberos_auth helper protocol to v3.4

Squids' older helper protocol cannot easily handle whitespace or
non-ASCII characters in user names, group names, and passwords. This
results in partial usernames being logged, and possibly also some users
being denied login when they should have been permitted.

With this update to the newer helper protocol all these issues should
now be resolved for anyone using this helper.

NOTE: The NTLM and some other helpers still need to be updated. Which
means this issues behaviour may still remain IF multiple helpers are in use.


* Bug 4707: purge tool does not obey --sysconfdir= build option

This issue was showing up as purge (aka. "squid-purge") tool being
unable to locate the squid.conf file unless it was explicitly provided
in command line arguments.

Effective immediately the tool obeys the --sysconfdir= build option
which is the correct way to set the squid.conf location. Packagers
setting build flags or patching the config location will have to update
their packaging.


* Add timestamps to (most) FATAL messages

Effective immediately. Most cache.log "FATAL: ..." messages are being
recorded with the timestamp prefix as used on other log entries. This
should make it a lot clearer whether the line(s) above a FATAL message
are related or happen much earlier.

Anyone responsible for log parsers scanning cache.log needs to check
that their parsers can cope with the updated log format.



  All users of Squid-4.x are urged to upgrade to this release as
  soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
  for upgrades where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.1 is available

2018-07-03 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.1 release!


This release is we believe, stable enough for general production use.

Support for Squid-3.x bug fixes has now officially ceased. Bugs in 3.5
will continue to be fixed, however the fixes will be added to the 4.x
series. All users of Squid-3.x are encouraged to plan for upgrades.


A short list of the major new features is:

 * RFC 6176 compliance (SSLv2 support removal)
 * Secure ICAP service connections
 * Add url_lfs_rewrite: a URL-rewriter based on local file existence
 * on_unsupported_protocol directive to allow Non-HTTP bypass
 * Update external_acl_type directive to use logformat codes
 * Experimental GnuTLS support for some TLS features
 * TLS/SSL related helpers renamed


Several features have been removed in 4.1:

 * refresh_pattern ignore-auth and ignore-must-revalidate options
 * cache_peer_domain directive
 * basic_msnt_multi_domain_auth helper
 * ESI custom parser - use XML2 or Expat instead.

Further details can be found in the release notes or the wiki.
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
http://wiki.squid-cache.org/Squid-4


Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go".

Please be particularly aware that for the TLS features the removal of
SSLv2 support may require manual attention to configuration settings
when upgrading from any Squid-3 or older version.


All feature additions are considered *experimental* until they have
survived at least one series of releases in general production use.
Please be aware of that when rolling out features which are new in
this series. Not all use-cases have been well tested yet and some may
not even have been implemented. Assistance is still needed despite the
releases general stability level.


Plans for the next series of releases is already well underway. Our
future release plans and upcoming features can be found at:
http://wiki.squid-cache.org/RoadMap


 See the ChangeLog for the full list of changes in this and earlier
 releases.

  All users of Squid-4.0 beta releases are urged to upgrade to this
  release as soon as possible.

  All users of Squid-3 are encouraged to upgrades where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 3.5.28 is available

2018-08-10 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.28 release!



This release is a security fix release resolving several major issues
found in the prior Squid releases.

REMINDER: This and older releases are already deprecated by
  Squid-4.1 availability.


The major changes to be aware of:

* SQUID-2018:1 / CVE-2018-124
  Crash processing SSL-Bumped traffic containing ESI

  http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.

Squid-3.5 is also vulnerable to some regular ESI server responses
also triggering this issue.

This problem is limited to the Squid custom ESI parser.
Squid built to use libxml2 or libexpat XML parsers do not have
this problem.


* SQUID-2018:2 / CVE-2018-127
  Crash handling responses to internally generated requests

  http://www.squid-cache.org/Advisories/SQUID-2018_2.txt

Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.

This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.


* SQUID-2018:3 / CVE-2018-1172
  Crash in ESI Response processing

  http://www.squid-cache.org/Advisories/SQUID-2018_3.txt

This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.

This problem is limited to Squid operating as reverse proxy.


* Bug 4829: IPC shared memory leaks when disker queue overflows

This bug occurs when Squid is configured with rock only storage. After
a long period of high load or a shorter period of extremely high load,
disk IO drops entirely. Even after giving Squid time to recover and
then resuming a low load the diskers were just not doing anything.

A lot of "run out of shared memory pages for IPC I/O" errors may be
seen during the high load, which continues to remain on smaller loads
after the recovery time.


* Bug 4767: SMP breaks IPv6 SNMP and cache manager queries

This problem appears as a crash when Squid is operating with multiple
workers and receiving IPv6 SNMP queries.


* Bug 2821: Ignore Content-Range in non-206 responses

Squid used to honor Content-Range header in HTTP 200 OK (and possibly
other non-206) responses, truncating (and possibly enlarging) some
response bodies. RFC 7233 declares Content-Range meaningless for
standard HTTP status codes other than 206 and 416. Squid now relays
meaningless Content-Range as is, without using its value.


* SSL-Bump: fix authentication with schemes other than Basic

Squid-3.4.5 included a fix for handling Basic authentication of a
CONNECT tunnel which is being bump'ed. Requests within it were
intended to inherit the credentials of the tunnel. Allowing Squid ACLs
to use authentication tests on the bumped traffic.

This release finally extends that fix to make bumped traffic inherit
the authentication credentials from the CONNECT tunnel regardless of
authentication type.


* TPROXY: Fix clientside_mark and client port logging

The clientside_mark ACL was not working with TPROXY because a
conntrack query could not find connmark without a true client port.

This also affected helpers and ACLs using client dst-port number
prior to logging when traffic was received with TPROXY.


* Fix "Cannot assign requested address" for to-origin TPROXY FTP data

This release adds the capability for TPROXY to be used on Native FTP
traffic (received at ftp_port). Prior releases would present the above
error when establishing FTP data connection and abort the transaction.



 All users of Squid-3 with SSL-Bump functionality are encouraged to
upgrade to this release as soon as possible.

 All other users of Squid-3 are encouraged to upgrade to this release
as time permits.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cac

[squid-announce] Squid 4.2 is available

2018-08-10 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.2 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* Regression: Restored support for the https_port clientca option

This TLS/SSL option was incorrectly stating this option as no longer
supported in configurations other than those using "ssl-bump" option.
It was also not loading the CA certificate correctly in any build.

This release removes those incorrect notices and fixes loading of
the CA certificate.

There are still signs of possible issues challenging for client X.509
certificate during TLS handshake which have not yet been confirmed and
tracked down. There are also indications that the remaining issue(s)
could be advanced OpenSSL options implicitly preventing the challenge.


* Regression Bug 4870: milliseconds logformats prepend 0s instead of
  spaces

This bug appears when a milliseconds (%tu, %tr, %dt, %pt)
logformat macro is used with a specific minimum output string size
indicated. The result is a value prefixed with 0's which log processors
can confuse with octal notation in some common circumstances. This
release now correctly pads with whitespace unless 0's are explicitly
indicated by the macro syntax.


* Bug 4843 pt3: GCC-8 fixes and refactoring

This release completes the formal support for GCC-8 compiler changes. At
least in relation to the features and build settings normally produced
by ./configure options.

There are known to be some issues when building with custom compiler
flags for higher than normal optimization and extended warnings. While
such custom builds are intentionally permitted they are not officially
supported by the Squid Project core developers.


* Bug 4861: HTTPMSGLOCK missing pointer safety

This bug can appear when eCAP adaptors are being used along with
SSL-Bump of intercepted HTTPS traffic. It is also present in
Squid-3.5.27 and older but does not have any externally triggerable effects.


* Fix %>ru logging of huge URLs

When dealing with an HTTP request header that Squid can parse but that
contain request URI length exceeding the 8K limit, Squid should log the
URL (prefix) instead of a dash. Logging the URL helps with triaging
these unusual requests. The older %ru macro was already logging these
huge URLs, but %>ru macro was logging a dash. Now both log the URL (or
its prefix).

See the logformat documentation for more details on these macros
behaviour <http://www.squid-cache.org/Doc/config/logformat/>



  All users of Squid-4 are urged to upgrade to this release as soon as
  possible.

  All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.3 is available

2018-10-02 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.3 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* Bug 4885: Excessive memory usage when running out of descriptors

When using some I/O select loops Squid can continue to allocate memory
for client connections after it has reached maximum available FD limits.
This release drops the memory to a fixed amount for each *_port
regardless of how many client connections arrive.


* Bug 4877: Add missing text about external_acl_type %DATA changes

The external_acl_type directive changes to encompass logformat codes
has a side effect on implicit %DATA parameters sent to the helpers.

Previous Squid versions would elide this field sometimes if no data
was contained - but only when implicit. Squid-4 will always send a
value, using '-' when no data exists.

This was omitted in earlier release documentation and caused some
surprises to admin with custom helpers not fully supporting the
current helper protocol.

Any users of this directive with custom helpers written for older
versions of Squid are advised to review what their helper is doing
and ensure that it can cope with the helper protocol fields documented
as 'optional'.


* Bug 4716: Blank lines in cachemgr.conf are not skipped

This bug appears as empty entries in the cachemgr.cgi web interface.
The Squid CGI tool will now elide such entries from display.


* Update systemd dependencies in squid.service

The squid.service file published with earlier releases lacked a
dependency on networking being fully operational. This resulted
in a mix of odd behaviours on machine startup when other networking
tools were slow to initialize NIC, DNS, or resolve.conf settings.

The squid.service file shipped with this release is expected to wait
until all networking resources are operational before Squid is started.



  All users of Squid-4 are encouraged to upgrade as time permits.

  All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid-4.4 is available

2018-10-28 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.4 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* SQUID-1018:4
  Cross-Site Scripting issue in TLS error processing

 http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

This problem allows a malicious HTTPS server to trigger error
page delivery to a client and also inject arbitrary HTML code
into the resulting error response.

This problem is limited to Squid built with TLS / SSL support.


* SQUID-2018:5
  Denial of Service issue in SNMP processing.

 http://www.squid-cache.org/Advisories/SQUID-2018_5.txt

This problem allows a remote attacker to consume all memory
available to the Squid process, causing it to crash.

In environments where per-process memory restrictions are not
enforced strictly, or configured to large values this may also
affect other processes operating on the same machine. Leading to
a much worse denial of service situation.

This problem is limited to Squid built with SNMP support and
receiving SNMP traffic.


* Bug 4893: Malformed %>ru URIs for CONNECT requests

This bug showed up as "://host:port" URLs being logged for some CONNECT
transactions in Squid-4.2 and 4.3. This release reverts Squid to the
previous log output.


* Fix %USER_CA_CERT_xx and %USER_CERT_xx

Previous Squid-4 would crash when these macros where used to pass values
to external ACL helpers. This issue is now fully resolved.


* Support compilation with minimal OpenSSL

Squid would not build successfully against an OpenSSL library
which had itself been built to omit deprecated features and API.
This Squid release should build in these minimized environments.



  All users of Squid-4 are urged to upgrade as soon as possible.

  All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2018:5 Denial of Service issue in SNMP processing

2018-10-28 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2018:5
__

Advisory ID:SQUID-2018:5
Date:   October 28, 2018
Summary:Denial of Service issue
in SNMP processing.
Affected versions:  Squid 3.2.0.10 -> 3.5.28
Squid 4.x -> 4.3
Fixed in version:   Squid 4.4
__

http://www.squid-cache.org/Advisories/SQUID-2018_5.txt
__

Problem Description:

 Due to a memory leak in SNMP query rejection code, Squid is
 vulnerable to a denial of service attack.

__

Severity:

 This problem allows a remote attacker to consume all memory
 available to the Squid process, causing it to crash.

 In environments where per-process memory restrictions are not
 enforced strictly, or configured to large values this may also
 affect other processes operating on the same machine. Leading to
 a much worse denial of service situation.

 This problem is limited to Squid built with SNMP support and
 receiving SNMP traffic.

__

Updated Packages:

 This bug is fixed by Squid version 4.4.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch

Squid 4:
 
http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid built with --disable-snmp are not vulnerable.

 All Squid-2.x and older versions are not vulnerable.

 All Squid-3.x up to and including 3.2.0.9 are not vulnerable.

 All Squid-3.x up to and including 3.5.28 configured with
 "snmp_port 0" are not vulnerable.

 All Squid-3.x up to and including 3.5.28 without snmp_port
 configured are not vulnerable.

 All Squid-3.2.0.10 and later 3.2.x versions with snmp_port
 configured to a non-0 value are vulnerable.

 All Squid-3.3 versions up to and including 3.3.14 with snmp_port
 configured to a non-0 value are vulnerable.

 All Squid-3.4 versions up to and including 3.4.14 with snmp_port
 configured to a non-0 value are vulnerable.

 All Squid-3.5 versions up to and including 3.5.28 with snmp_port
 configured to a non-0 value are vulnerable.

 All Squid-4.x versions up to and including 4.3 with snmp_port
 configured to a non-0 value are vulnerable.


To determine the version of your Squid and its build options use
the command:

 squid -v

To determine whether snmp_port is configured use the command:

 squid -k parse | grep snmp_port

__

Workarounds:

Either;

 Enable firewall inspection of SNMP packets to enforce blocking
 of any non-permitted packets prior to their arriving at Squid.

 This restriction of packet sources reduces the risk, but does not
 completely remove the vulnerability.

Or,

 Remove snmp_port and related configuration settings until Squid
 can be upgraded to a fixed build.

 This completely removes the vulnerability at cost of reduced
 management and monitoring capabilities.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered and fixed by Florian Kohnhäuser

__

Revision history:

 2018-10-23 06:15:46 UTC Initial Report
 2018-10-23 21:42:58 UTC Patch Released
 2018-10-27 21:19:00 UTC Packages Released
__
END

[squid-announce] [ADVISORY] SQUID-2018:4 Cross-Site Scripting issue in TLS error processing

2018-10-28 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2018:4
__

Advisory ID:SQUID-2018:4
Date:   October 28, 2018
Summary:Cross-Site Scripting issue
in TLS error processing.
Affected versions:  Squid 3.1.12.1 -> 3.1.23
Squid 3.2.0.4 -> 3.5.28
Squid 4.0 -> 4.3
Fixed in version:   Squid 4.4
__

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
__

Problem Description:

 Due to incorrect input handling, Squid is vulnerable to a
 Cross-Site Scripting vulnerability when generating HTTPS response
 messages about TLS errors.

__

Severity:

 This problem allows a malicious HTTPS server to trigger error
 page delivery to a client and also inject arbitrary HTML code
 into the resulting error response.

 This problem is limited to Squid built with TLS / SSL support.

__

Updated Packages:

 This bug is fixed by Squid version 4.4.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch

Squid 4:
 
http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x and older are not vulnerable.

 All Squid-3.0 and older version are not vulnerable.

 All Squid-3.x versions up to and including 3.4.14 built with
 --disable-ssl are not vulnerable.

 All Squid-3.x versions up to and including 3.4.14 built without
 --enable-ssl are not vulnerable.

 All Squid-3.1.12.1 and later versions up to and including
 Squid-3.1.23 built with --enable-ssl are vulnerable.

 All Squid-3.2.0.4 and later versions up to and including
 Squid-3.2.14 built with --enable-ssl are vulnerable.

 All Squid-3.3 and later versions up to and including
 Squid-3.3.14 built with --enable-ssl are vulnerable.

 All Squid-3.4 and later versions up to and including
 Squid-3.4.14 built with --enable-ssl are vulnerable.

 All Squid-3.5 versions up to and including 3.5.28 built without
 --with-openssl are not vulnerable.

 All Squid-3.5 and later versions up to and including 3.5.28 built
 with --with-openssl are vulnerable.

 All Squid-4 versions built without --with-openssl are not
 vulnerable.

 All Squid-4 versions up to and including 4.3 built with
 --with-openssl are vulnerable.

__

Workarounds:

Either;

 Remove %D error page macro from ERR_SECURE_CONNECT_FAIL and any
 custom error pages.

Or,

 Build Squid-3.1 to 3.4.14 without "--enable-ssl"

Or,

 Build Squid-3.5 or later without "--with-openssl"

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Nikolas Lohmann of eBlocker
 GmbH.

 Fixed by Christos Tsantilas on behalf of Measurement Factory.

__

Revision history:

 2018-10-15 10:59:16 UTC Initial Report
 2018-10-17 15:13:41 UTC Patches Released
 2018-10-27 21:19:00 UTC Packages Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid-4.5 is available

2019-01-04 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.5 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* Bug 4253: ssl_bump prevents access to some web contents

The SSL-Bump initial implementation was entangled with reverse-proxy
handling of decrypted HTTPS messages. This was a mistake we have been
reversing across the 3.5 and 4 cycles.

With this release SSL-Bump traffic handling is no longer tied to
reverse-proxy mode. As a result complications with ESI and
Surrogate-Control header handling have finally been resolved.


* Redesign forward_max_tries to count TCP connection attempts

This release includes an overhaul of the counting for HTTP message
forwarding and re-send attempts. This has an impact on how long it takes
Squid to detect and report connection errors to clients, persistent
connection overload recovery and detection of DEAD peer states.

The documentation for forward_max_tries and connect_retries has been
updated to more clearly specify the current expected behaviour.

Any users with systems tuned to optimize these behaviours should read
the updated squid.conf documentation and check their tuning after
upgrade to this release or any later.


* Fix client_connection_mark ACL handling of clientless transactions

This bug shows up as crashes when a client_connection_mark or
clientside_mark type ACL is used for access control. From this release
transactions without a client TCP connection will now produce a
non-match result when this ACL is tested.


* Multiple NetDB behaviour updates

NetDB state was not being recorded for connections to peers using TLS
nor for CONNECT tunnels. With the growth of HTTPS in recent times these
are increasingly important to optimize.

This release will now ping and record the latency information for these
connections to aid with optimizing connection setup of future transactions.


* The logformat code %>handshake is added

This code allows logging of initial bytes received for many protocols
to allow better debugging of unknown-protocol issues and external ACL
decision making.


* Use pkg-config for detecting libxml2

This release adds support for auto-detection of libxml2 location using
the pkg-config tools at build time. This may affect users of OS placing
libraries at a location outside the FHS layout. For example
cross-building or multi-architecture systems.

Note that support for custom PATH parameter is not yet implemented for
the --with-libxml2 build option. It is planned but did not make this
release. The pkg-config environment variables may be used for that if
necessary.



  All users of Squid-4 with SSL-Bump functionality are urged to upgrade
as soon as possible.

  All other users of Squid-4 are encouraged to upgrade as time permits.

  All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.6 is available

2019-02-26 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.6 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:


 * Fix several cases of rock cache corruption

Several bugs have been found in Squids use of shared memory by the rock
cache functionality. These may have been causing performance issues
under high loads and possible corrupting the cache objects stored in
rock format. Existing cache validation on HITs should have been catching
many of these objects and preventing use. However dues to the nature of
corruption in general we cannot be completely certain of that.

All users of rock cache type are urged to upgrade as soon as possible.

If your cache is known to contain sensitive data please also consider
wiping the existing rock cache contents to guarantee a clean state.


 * Fix BodyPipe/Sink memory leaks associated with auto-consumption

This bug shows up as a small memory leak when eCAP service blocks a
transaction, or presents a complete replacement response payload. It may
also occur in other situations that use Squids auto-consume feature to
clear unwanted HTTP message data from a connection.


 * Bug 4915: Detect IPv6 loopback binding errors

This bug shows up as helpers being started but communication not working
on machines where IPv6 has been disabled by sysctl preventing IPv6
address assignment.

This release will now detect these machine configurations and trigger
IPv4-only functionality on startup if necessary.


 * Bug 4914: Do not call setsid() in --foreground mode

Squid executed in --foreground is always a process group leader. Thus,
setsid(2) is unnecessary and always fails (with EPERM) for such Squids.


 * Bug 4856: Exit when GoIntoBackground() fork() call fails

Not exiting can leave the proxy running with inconsistent access
permissions to system resources. Squid has historically dropped
privileges anyway so this is not a security breach. But the behaviour
can confuse some third-party daemon managers.

This release will now strictly abort with an error if fork() is not
successful when starting Squid.


 * Fix OpenSSL builds that define OPENSSL_NO_ENGINE

Squid builds have been failing with compile against OpenSSL when custom
engine support is disabled. This release fixes the feature detection to
allow such builds to complete.



  All users of Squid-4 are urged to upgrade as soon as possible.

  All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:1 Denial of Service issue in cachemgr.cgi

2019-07-13 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:1
__

Advisory ID:SQUID-2019:1
Date:   July 12, 2019
Summary:Denial of Service issue
in cachemgr.cgi
Affected versions:  Squid 4.x -> 4.7
Fixed in version:   Squid 4.8
__

http://www.squid-cache.org/Advisories/SQUID-2019_1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12854
__

Problem Description:

 Due to incorrect string termination the cachemgr.cgi may access
 unallocated memory.

 On systems with memory access protections this can result in
 the CGI process terminating unexpectedly. Resulting in a
 denial of service for all clients using it.

__

Severity:

 This problem allows a remote attacker with access to the Squid
 manager API to perform a denial of service on other clients.

 This problem is limited to the cachemgr CGI binary.

 Web servers which run per-client instances of CGI tools are
 affected by the issue, but the denial of service is not able to
 affect other clients.

__

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 
http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All cachemgr.cgi 3.x and older versions are not vulnerable.

 All cachemgr.cgi 4.x versions up to and including 4.7 are
 vulnerable.

 All Squid-4.7 and older versions accessed via the http:// URL
 manager interface are not vulnerable.

To determine the version and interface, look at the footer of
manager reports for the "Generated by" string.

__

Workarounds:

Either;

 Convert to exclusively using the HTTP manager interface until
 cachemgr.cgi can be upgraded to a fixed build.

Or;

 Deny all access with 'manager' ACL in squid.conf.

 This completely removes the vulnerability at cost of reduced
 management and monitoring capabilities.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Alex Rousskov of The
 Measurement Factory.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__

Revision history:

 2019-04-10 21:13:50 UTC Initial Report
 2019-05-18 09:43:41 UTC Patch Released
 2019-06-16 10:52:51 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:2 Denial of Service in HTTP Basic Authentication processing

2019-07-13 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:2
__

Advisory ID:SQUID-2019:2
Date:   July 12, 2019
Summary:Denial of Service issue
in HTTP Basic Authentication processing.
Affected versions:  Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.7
Fixed in version:   Squid 4.8
__

http://www.squid-cache.org/Advisories/SQUID-2019_2.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
__

Problem Description:

 Due to incorrect buffer management Squid is vulnerable to a
 denial of service attack when processing HTTP Basic
 Authentication credentials.

__

Severity:

 Due to incorrect string termination the Basic authentication
 credentials decoder may access memory outside the decode buffer.

 On systems with memory access protections this can result in
 the Squid process being terminated unexpectedly. Resulting in a
 denial of service for all clients using the proxy.

__

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x up to and including 2.7.0STABLE9 being used for
 Basic Authentication are vulnerable.

 All Squid-3.x up to and including 3.5.28 being used for Basic
 Authentication are vulnerable.

 All Squid-4.x up to and including 4.7 being used for Basic
 Authentication are vulnerable.


To determine whether auth_param is configured for Basic
authentication in Squid-3.2 and later use the command:

 squid -k parse | grep auth_param


To determine whether auth_param is configured for Basic
authentication in Squid-3.1 and older use the command:

 grep auth_param /etc/squid/squid.conf

__

Workarounds:

Either;

 Remove 'auth_param basic ...' configuration settings from
 squid.conf.

Or,

 Build Squid-3.2.14 and later versions with --disable-auth-basic


__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Jeriko One
 .

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-05-21 21:31:31 UTC Patches Released
 2019-06-05 15:52:17 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:3 Denial of Service in HTTP Digest Authentication processing

2019-07-13 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:3
__

Advisory ID:SQUID-2019:3
Date:   July 12, 2019
Summary:Denial of Service issue
in HTTP Digest Authentication processing.
Affected versions:  Squid 3.3.9 -> 3.5.28
Squid 4.x -> 4.7
Fixed in version:   Squid 4.8
__

http://www.squid-cache.org/Advisories/SQUID-2019_3.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525
__

Problem Description:

 Due to incorrect buffer management Squid is vulnerable to a
 denial of service attack when processing HTTP Digest
 Authentication credentials.

__

Severity:

 Due to incorrect input validation the HTTP Request header
 parser for Digest authentication may access memory outside the
 allocated memory buffer.

 On systems with memory access protections this can result in
 the Squid process being terminated unexpectedly. Resulting in a
 denial of service for all clients using the proxy.

__

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-ec0d0f39cf28da14eead0ba5e777e95855bc2f67.patch>

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-409956536647b3a05ee1e367424a24ae6b8f13fd.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid-3.x up to and including 3.3.8 are not vulnerable.

 All Squid-3.3.9 up to and including 3.3.14 being used for Digest
 authentication are vulnerable.

 All Squid-3.4 versions up to and including 3.4.14 being used for
 Digest authentication are vulnerable.

 All Squid-3.5 versions up to and including 3.5.28 being used for
 Digest authentication are vulnerable.

 All Squid-4.x up to and including 4.7 being used for Digest
 Authentication are vulnerable.


To determine whether auth_param is configured for Digest
authentication use the command:

 squid -k parse | grep auth_param

__

Workarounds:

Either;

 Remove 'auth_param digest ...' configuration settings from
 squid.conf.

Or,

 Build Squid with --disable-auth-digest


__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Jeriko One
 .

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-06-05 15:52:17 UTC CVE Assignment
 2019-06-08 21:09:23 UTC Patches Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:5 Heap Overflow issue in HTTP Basic Authentication processing

2019-07-13 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:5
__

Advisory ID:SQUID-2019:5
Date:   July 12, 2019
Summary:Heap Overflow issue
in HTTP Basic Authentication processing.
Affected versions:  Squid 4.0.23 -> 4.7
Fixed in version:   Squid 4.8
__

http://www.squid-cache.org/Advisories/SQUID-2019_5.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12527
__

Problem Description:

 Due to incorrect buffer management Squid is vulnerable to a
 heap overflow and possible remote code execution attack when
 processing HTTP Authentication credentials.

__

Severity:

 This allows a malicious client to write a substantial amount of
 arbitrary data to the heap. Potentially gaining ability to
 execute arbitrary code.

 On systems with memory access protections this can result in
 the Squid process being terminated unexpectedly. Resulting in a
 denial of service for all clients using the proxy.

 This issue is limited to traffic accessing the Squid Cache
 Manager reports or using the FTP protocol gateway.

__

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid-3.x are not vulnerable.

 All Squid-4.x up to and including 4.0.22 are not vulnerable.

 All Squid-4.0.23 up to and including 4.7 built with Basic
 Authentication features are vulnerable.

__

Workarounds:

Either;

 Deny ftp:// protocol URLs being proxied and Cache Manager report
 access to all clients:

acl FTP proto FTP
http_access deny FTP
http_access deny manager

Or,

 Build Squid with --disable-auth-basic

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Jeriko One
 .

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-06-05 15:52:17 UTC CVE Assignment
 2019-06-19 05:58:36 UTC Patches Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:6 Multiple Cross-Site Scripting issues in cachemgr.cgi

2019-07-13 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:6
__

Advisory ID:SQUID-2019:6
Date:   July 12, 2019
Summary:Multiple Cross-Site Scripting issues
in cachemgr.cgi.
Affected versions:  Squid 2.x all releases
Squid 3.x -> 3.5.28
Squid 4.x -> 4.7
Fixed in version:   Squid 4.8
__

http://www.squid-cache.org/Advisories/SQUID-2019_6.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345
__

Problem Description:

 Due to incorrect input handling Squid cachemgr.cgi tool is
 vulnerable to multiple cross-site scripting attacks.

__

Severity:

 This allows a malicious server to embed URLs in its content such
 that user credentials and other information can be extracted from
 a client or administrator with access to the Squid cachemgr.cgi
 tool URL.

__

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.x:
 
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-5730c2b5cb56e7639dc423dd62651c8736a54e35.patch>

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-be1dc8614e7514103ba84d4067ed6fd15ab8f82e.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid proxy is not vulnerable. The problem is isolated to the
 manager CGI interface tool.

 cachemgr.cgi tool displays its version number in the HTML page
 footer:

  All 2.x versions up to and including 2.7.STABLE9 are vulnerable.

  All 3.x versions up to and including 3.5.28 are vulnerable.

  All 4.x versions up to and including 4.7 are vulnerable.

  If your cachemgr.cgi does not display a version it is likely
  to be one of the older vulnerable versions.

__

Workarounds:

Either;

 Remove use of the cachemgr.cgi tool. It is only necessary for
 older proxy management. Modern Squid proxies management reports
 can be accessed directly.

Or,

 Add CORS protection to the web server running the CGI tool such
 that remote requests to the cachemgr.cgi tool cannot use
 query-string parameters.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Anil Pazvant.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2019-05-27 13:38:06 UTC Initial Report
 2019-06-05 15:52:17 UTC CVE Assignment
 2019-07-04 01:17:48 UTC Patches Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.8 is available

2019-07-13 Thread Amos Jeffries 
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.8 release!


This release is a security release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


 * SQUID-2019:1 Denial of Service issue in cachemgr.cgi
   (CVE-2019-12854)

This issue security vulnerability is in the cachemgr.cgi tool (not the
squid proxy). With certain requests the cachemgr.cgi may access
unallocated memory.

On systems with memory access protections this can result in the CGI
process terminating unexpectedly. Resulting in a denial of service for
all clients using it.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_1.txt>


 * SQUID-2019:2 Denial of Service in HTTP Basic Authentication
   (CVE-2019-12529)

The Basic authentication credentials decoder may access memory outside
the decode buffer.

On systems with memory access protections this can result in the Squid
process being terminated unexpectedly. Resulting in a denial of service
for all clients using the proxy.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_2.txt>


 * SQUID-2019:3 Denial of Service in HTTP Digest Authentication
   (CVE-2019-12525)

The HTTP Request header parser for Digest authentication may access
memory outside the allocated memory buffer.

On systems with memory access protections this can result in the Squid
process being terminated unexpectedly. Resulting in a denial of service
for all clients using the proxy.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_3.txt>


 * SQUID-2019:5 Heap Overflow issue in HTTP Basic Authentication
   (CVE-2019-12527)

This allows a malicious client to write a substantial amount of
arbitrary data to the heap. Potentially gaining ability to execute
arbitrary code.

On systems with memory access protections this can result in the Squid
process being terminated unexpectedly. Resulting in a denial of service
for all clients using the proxy.

This issue is limited to traffic accessing the Squid Cache Manager
reports or using the FTP protocol gateway.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_5.txt>


 * SQUID-2019:6 Multiple Cross-Site Scripting issues in cachemgr.cgi
   (CVE-2019-13345)

This allows a malicious server to embed URLs in its content such that
user credentials and other information can be extracted from a client or
administrator with access to the Squid cachemgr.cgi tool URL.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2019_6.txt>


 * Regression: Fix tls-min-version= being ignored

Squid-4 has been allowing negotiation of TLS versions prohibited by this
option. Also, for some configurations the tls-options= also does not
work as intended. This release fixes both these options to work as
documented.


 * Add the NO_TLSv1_3 option to available tls-options values

This release brings the ability to prohibit OpenSSL from negotiating
TLS/1.3 with clients, peers or servers.


 * Bug 4953: to_localhost does not include ::

Some OS treat unspecified destination address as an implicit
localhost connection attempt. This was a well-known issue with IPv4
which was supposed to be prohibited with IPv6 traffic. However, once
again OS have appeared which treat IPv6 :: as an alias of localhost.

To make matters worse some domains return :: explicitly as their IP
address to DNS  queries.

We have added ::/128 to the pre-defined to_localhost ACL. Any users of
that ACL not able to update are advised to add this to their squid.conf
immediately:

  acl to_localhost dst ::/128


 * Bug 4889: Ignore ECONNABORTED in accept(2)

This shows up as a large number of hung socket connections and/or
cache.log entries like:
  oldAccept ...: (53) Software caused connection abort

It primarily occurs on OpenBSD 6.5 and later, but may be seen on other
systems as well.



  All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:8 Multiple issues in URI processing

2019-11-08 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:8
__

Advisory ID:SQUID-2019:8
Date:   November 05, 2019
Summary:Multiple issues in URI processing.
Affected versions:  Squid 3.x -> 3.5.28
Squid 4.x -> 4.8
Fixed in version:   Squid 4.9
__

http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18676
__

Problem Description:

 Due to improper input validation Squid is vulnerable to security
 bypass attacks. Attacker can gain access to restricted HTTP
 servers.

 Due to incorrect input validation Squid is vulnerable to a buffer
 overflow which can result in Denial of Service to all clients
 using the proxy.

__

Severity:

 Any remote client may access resources which should be restricted
 and not available to them. Such as those protected behind client
 IP ACLs. Attacker could also gain access to manager services when
 Via header is turned off.

 Any remote client can perform a Denial of Service on all other
 clients using the proxy.

__

Updated Packages:

 These bugs are fixed by Squid version 4.9.

 In addition, a patch addressing this problem for stable releases
 can be found in our patch archives:

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

Use the command 'squid -v' to view version and build details of
your proxy;

 All Squid 2.x have not been checked.

 All Squid-3.x up to and including 3.5.28 are vulnerable.

 All Squid-4.x up to and including 4.8 are vulnerable.

__

Workaround:

 Access to manager services can be prevented by enabling the Via
 header:
   via on

 There are no reliable workarounds to prevent access to restricted
 upstream servers.

 There are no workarounds for the Denial of Service issue.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__

Credits:

 The security bypass vulnerability was discovered by Jeriko One
 .

 The Denial of Service vulnerability was discovered by Kristoffer
 Danielsson.

 Fixed by Amos Jeffries, Treehouse Networks Ltd.

__

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-06-05 15:52:17 UTC CVE-2019-12523 Assignment
 2019-07-03 01:07:41 UTC Additional Report
 2019-11-04 13:43:22 UTC CVE-2019-18676 Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:9 Cross-Site Request Forgery issue in HTTP Request processing

2019-11-08 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:9
__

Advisory ID:SQUID-2019:9
Date:   November 05, 2019
Summary:Cross-Site Request Forgery issue
in HTTP Request processing.
Affected versions:  Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.8
Fixed in version:   Squid 4.9
__

http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18677
__

Problem Description:

 Due to incorrect message processing Squid configured with
 append_domain can inappropriately redirect traffic to origins it
 should not be delivered to.

__

Severity:

 This issue allows attackers to hide origin servers for phishing
 attacks or malware download URLs.

 This issue is restricted to proxies with append_domain
 configured. It is relatively easy for attackers to probe and
 determine whether a target network proxy has this directive
 along with its value.

__

Updated Packages:

 This bug is fixed by Squid version 4.9.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch>

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid without append_domain configured are not vulnerable.

 All Squid-2.x up to and including 2.7.STABLE9 with append_domain
 configured are vulnerable.

 All Squid-3.x up to and including 3.5.28 with append_domain
 configured are vulnerable.

 All Squid-4.x up to and including 4.8 with append_domain
 configured are vulnerable.


To determine whether append_domain is configured use the command:

 squid -k parse | grep append_domain

__

Workarounds:

 Remove append_domain configuration settings from squid.conf.

 The append_domain feature is redundant when /etc/resolv.conf
 is used to determine hostnames. However, please note that use
 of /etc/resolv.conf may require removal of dns_nameservers and
 other redundant DNS directives.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Kristoffer Danielsson.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2019-06-26 21:43:49 UTC Initial Report
 2019-07-12 03:08:00 UTC Patches Released
 2019-11-04 13:43:22 UTC CVE-2019-18677 Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:7 Heap Overflow issue in URN processing

2019-11-08 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:7
__

Advisory ID:SQUID-2019:7
Date:   November 5, 2019
Summary:Heap Overflow issue
in URN processing.
Affected versions:  Squid 3.x -> 3.5.28
Squid 4.x -> 4.8
Fixed in version:   Squid 4.9
__

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526
__

Problem Description:

 Due to incorrect buffer management Squid is vulnerable to a
 heap overflow and possible remote code execution attack when
 processing URN.

__

Severity:

 This allows a malicious client to write a substantial amount of
 arbitrary data to the heap. Potentially gaining ability to
 execute arbitrary code.

 On systems with memory access protections this can result in
 the Squid process being terminated unexpectedly. Resulting in a
 denial of service for all clients using the proxy.

__

Updated Packages:

 This bug is fixed by Squid version 4.9.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 


 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid-3.x up to and including 3.5.28 are vulnerable.

 All Squid-4.x up to and including 4.8 are vulnerable.

__

Workarounds:

 Deny urn: protocol URI being proxied to all clients:

acl URN proto URN
http_access deny URN

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Jeriko One
 .

 Fixed by Eduard Bagdasaryan of The Measurement Factory.

__

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-06-05 15:52:17 UTC CVE Assignment
 2019-09-15 15:32:30 UTC Patches Released
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] Squid 4.9 is available

2019-11-08 Thread Amos Jeffries 
otocol
"tunnel" action resulted in a Squid error response sent to the client
(or, where an error response was not possible, in a connection closure).


 * Fix several rock cache_dir corruption issues

Previous design of the rock storage system means that rock caches may
become littered with incomplete objects, or objects with incorrect final
chunk. Data protection measures will normally catch these and report
metadata mismatches. However there is a possibility some responses may
be delivered.

It is recommended that users with cache_dir rock configured perform a
cache erase and rebuild procedure during or shortly after upgrading.
 <https://wiki.squid-cache.org/SquidFaq/ClearingTheCache>



  All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries




___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

[squid-announce] [ADVISORY] SQUID-2019:10 HTTP Request Splitting issue in HTTP message processing

2019-11-08 Thread Amos Jeffries 
__

Squid Proxy Cache Security Update Advisory SQUID-2019:10
__

Advisory ID:SQUID-2019:10
Date:   November 05, 2019
Summary:HTTP Request Splitting issue
in HTTP message processing.
Affected versions:  Squid 3.0 -> 3.5.28
Squid 4.x -> 4.8
Fixed in version:   Squid 4.9
__

http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18678
__

Problem Description:

 Due to incorrect message parsing Squid is vulnerable to an HTTP
 request splitting issue.

__

Severity:

 This issue allows attackers to smuggle HTTP requests through
 frontend software to a Squid which splits the HTTP Request
 pipeline differently. The resulting Response messages corrupt
 caches between client and Squid with attacker controlled content
 at arbitrary URLs..

 Effects are isolated to software between the attacker client and
 Squid. There are no effects on Squid itself, nor any upstream
 servers.

__

Updated Packages:

 This bug is fixed by Squid version 4.9.

 In addition, a patch addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid-2.x have not been checked.

 All Squid-3.x up to and including 3.5.28 are vulnerable.

 All Squid-4.x up to and including 4.8 are vulnerable.

__

Workarounds:

 There are no workarounds for this vulnerability.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by by Régis Leroy (regilero
 from Makina Corpus).

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2019-07-24 11:52:51 UTC Initial Report
 2019-09-11 02:52:52 UTC Patches Released
 2019-11-04 13:43:22 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

  1   2   >