The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.7 release!

This release is a security release resolving several major
vulnerabilities found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response

The visible symptoms of these are various assertions about:
 "*: 'len_ + len <65536'"
 "*: 'isEmpty()'"

There are a number of known attacks involved for both of these
assertions. Almost all are now fully fixed or rendered harmless to other
transactions. However some hard to trigger ones are not yet resolved.

Normally we would not release this advisory and packages until a full
fix or workaround was confirmed. However these assertions have recently
become the topic of a lot of public discussion and a trivial PoC is now
available. We have chosen to release the existing fixes now as work
continues towards a final resolution.

  All Squid-3 and Squid-4 releases to date are affected.

See the advisory for further details. Upgrade or patching should be
considered a high priority.

* Bug 4111: leave_suid() does not properly handle error codes returned
by setuid

This bug was technically a privilege escalation. However there are no
known instances of it occuring. So it is considered minor issue and this
change should have no noticible effects on installations.

However, be aware that any installations which would previously have
been even at risk and ignoring the security ALERT messages will now
abort with an FATAL error. In such cases the system environment needs to
be corrected so that Squid will run without needing root privileges for
the HTTP handing worker process.

* Fix external_acl parameters separated by %20 instead of space

The 'ACL data' sent to external ACL helpers may contain whitespace
delimited lists of ACL values to be tested, or otherwise used by the helper.

It has come to light that Squid-4 backward compatibility code in
external ACL helper lookups handling when the %DATA token(s) sent to the
helper are to be %-encoded as a single token is unable to accurately
emulate previous versions. Due to various bugs Squid-3 versions
alternately encoded the explicit %DATA token as a single token, sent "-"
as its value (again as a single value). Or implicitly sent an
individually encoded set of multiple values. Older Squid-2 sent a
different set of possibilities as well.

For simplicity as of this release we are dropping backward compatibility
variance in the encoding of %DATA. Token(s) will not be encoded by
default whether explicitly used at a certain position, or implicitly
appended to the lookup line. A logformat encoding modifier must be
specified inside the %DATA format code if the helper requires a single
token/field in its input.

Some helpers may need re-coding or squid.conf updates to handle the new
protocol syntax or potential whitespace in the token(s) produced by
%DATA format code.

For maximum compatibility with older Squid versions helpers should
expect several whitespace delimited values on the end of the lookup line
and RFC1738 un-encoding what gets given is recommended.

* Fix memory leak using sslcrtvalidator_program with no cache

When the helper response cache is disabled by the ttl=0 parameter for
these helpers previous Squid would leak a large amount of memory used to
store the certificate details.

 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to