The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.15 release!

This release is a security release resolving several major
vulnerabilities found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response

The visible symptoms of these are various assertions about:
 "*: 'len_ + len <65536'"
 "*: 'isEmpty()'"

There are a number of known attacks involved for both of these
assertions. Almost all are now fully fixed or rendered harmless to other
transactions. However some hard to trigger ones are not yet resolved.

Normally we would not release this advisory and packages until a full
fix or workaround was confirmed. However these assertions have recently
become the topic of a lot of public discussion and a trivial PoC is now
available. We have chosen to release the existing fixes now as work
continues towards a final resolution.

  All Squid-3 and Squid-4 releases to date are affected.

See the advisory for further details. Upgrade or patching should be
considered a high priority.

 All users of Squid-3 or older are urged to upgrade to this release as
soon as possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries
squid-announce mailing list

Reply via email to