The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.14 release!

This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:1 - Remote Denial of Service in SSL/TLS handling

This shows up as Squid crashing after a failed TLS server connection.
Since Squid built with TLS/SSL support perform outbound TLS server
connections independent of inbound client request type it can be
triggered by a plain-text HTTP message.

 Affected Squid versions are:
  3.5.13, 4.0.4, 4.0.5 built using --with-openssl

See the advisory for further details. Upgrade to this beta is highly
recommended, even for older unaffected releases.

* Bug #4431: C code is not compiled with CFLAGS

This bug in the build toolchain has existied since at lease 3.2 and
meant the few C objects still being built as part of Squid and helpers
were not being built using the proper CFLAGS values.

Builds for unusual environments or with customised CFLAGS values will
need to take some extra care and testing with this release to ensure the
desired compiler actions are occuring.

* Fix %un logging external ACL username

This issue affects both logging and the key_extras feature of 3.5 which
both rely on logformat codes. It shows up in two ways;

 - For Squid relying exclusively on external ACL helper side-band
authentication the username would not be logged at all.

 - For Squid relying on multiple sources of authentication the username
for another source could wrongly be displayed instead of the external
ACL provided value.

* Fix invalid FTP connection handling on blocked content

This issue shows up as 'hanging' FTP transactions when an ICAP service
has explicitly requested that they be blocked / rejected / denied.

 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to