The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.6 release!

This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.

  NP: this release announcement also covers 4.0.5 change details.

The major changes to be aware of:

* SQUID-2016:1 - Remote Denial of Service in SSL/TLS handling

This shows up as Squid crashing after a failed TLS server connection.
Since Squid built with TLS/SSL support perform outbound TLS server
connections independent of inbound client request type it can be
triggered by a plain-text HTTP message.

 Affected Squid versions are:
   3.5.13, 4.0.4, 4.0.5 built using --with-openssl

See the advisory for further details. Upgrade to this beta is highly
recommended, even for older unaffected Squid-4 releases.

* Several regression bugs fixed

 - Bug 4436: Fix DEFAULT_SSL_CRTD
 - Bug 4429: http(s)_port options= error message missing characters
 - Bug 4410: compile error in basic_ncsa_auth after 4.0.4
 - Bug 4403: helper compile errors after 4.0.4
 - Bug 4401: compile error on Solaris
 - Fix: TLS/SSL flags parsing
 - Fix: cert validator always disabled in 4.0.x
 - Fix: Name-only note ACL stopped matching after 4.0.4 (note -m)
 - Fix: external_acl problems after 4.0.1

* SSL related helpers changed

This release adds two new ./configure options

These build options operate the same as external ACL and authentication
helper build options. But control whether the SSL certificate validator
and SSL-Bump certificate generator helper(s) are built.

As part of this change;

 - the ssl_crtd helper is renamed to security_file_certgen
   (built with --enable-security-generators=file), and

 - the helper is renamed to security_fake_certverify
   (built with --enable-security-validators=fake).

* Add connections_encrypted ACL

This new ACL only matches true when all the external connections
involved with a transaction (so far) have been secured. It can be used
to prohibit sending traffic received over a secure connection to
insecure services such as URL-rewriters, ICAP, eCAP, cache_peer, or to
set tcp_outgoing_* details differently for secure/insecure transactions.

* Fix SSL-Bump step 3 splice action

This bug shows up as Squid HTTPS transactions hanging while contacting
an upstream TLS server. It occurs when splice action is selected for use
at stage 3 of SSL-Bumping.

 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to