Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.9 release!

This release is a bug fix release resolving several issues found in
the prior Squid releases.

The major changes to be aware of:

* Bug 3803: ident leaks memory on failure

Please note that on Squid which have been configured to send IDENT
queries to WAN visitors this can become a remotely triggerable
security vulnerability. A remote attacker can DoS the Squid service by
sending enough HTTP traffic from hosts not responding to IDENT that
the memory leak overwhelms the Squid server.

IMPORTANT: Correct configuration of IDENT in Squid includes
ident_access ACLs limiting IDENT queries to being sent only to LAN
(localnet) clients.

* Bug 4102: ssl_bump certificate contains only a dot character in key
usage extension

The previous fix for bug 3966 was incorrect. SSL-bump generated
certificates would display with valid version for key exytensions to
exist but have a single "." character as the key extension field contents.

There have been reports that this fix is still incomplete and there
may be further fixes needed on top of this one. However this fix alone
resolves browser issues with many websites using simple key extensions.

* Bug 4088: memory leak in external_acl_type helper

This bug would appear as a memory leak if an external_acl_type helper
is configured with either of the cache=0, ttl=0 or negative_ttl=0
options. Leaked bytes amounted to the size of the helper lookup,
response and HTTP request headers on any helper lookups which were not
cached - that could be several MB per minute on a busy proxy.

* Bug 4024: Bad host/IP ::1 when using IPv4-only environment

This bug would show up as a fatal configuration error processing the
default ::1 localhost address on a system with IPv6 completely
disabled in the host DNS resolver library.

disabling IPv6 entirely violates the Internet standard BCP 177
"IPv6 Support Required for All IP-Capable Nodes".

HTTP is one of the protocols where IP addresses are embeded in the
layer-3 protocol syntax. There are no guarantees of correct proxying
operation if the system underlying Squid prevents it correctly
interpreting IPv6 elements within HTTP messages.

All users of Squid with IDENT are urged to upgrade to this release as
soon as possible.

All users of Squid with SSL-bump are urged to upgrade to this release
as soon as possible.

All other users of Squid are encouraged to upgrade to this release as
time permits.

See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.4

Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers


or the mirrors. For a list of mirror sites see


If you encounter any issues with this release please file a bug report.

Amos Jeffries

Version: GnuPG v2.0.22 (MingW32)

squid-announce mailing list

Reply via email to