The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.4.13 release!

This release is a security fix release resolving a vulnerability and som
ebugs found in the prior 3.4 releases.

    REMINDER: This and older releases are already deprecated by
              Squid-3.5 availablility.

The major changes to be aware of:

* CVE-2015-3455 : SQUID-2015:1 Incorrect X509 server certificate valdidation

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority to
abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" mode of operation.

Sites that do not use SSL-Bump are not vulnerable.

A squid.conf workaround is available for quick use and those unable to
upgrade. See the Advisory notice for details.

* Regression Bug 4212: ssl_crtd crashes with corrupt database

The fix for Bug 3664 introduced a regression on BSD and Linux where
lockf() implementations appear not to lock the entire file correctly or
as reliably as flock(). As a result ssl_crtd records would overwrite
each other. The helper would abort Squid on detecting the corruption.

 All users are urged to upgrade as soon as possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.4

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to