The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.8 release!

This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:4 - Denial of Service issue in HTTP Response processing
    aka. CVE-2016-3948

This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
"*: 'len_ + len <65536'"

There is an attack in the wild for this one, but not as widely as for
the previous issues.

* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.
    aka. CVE-2016-3947

This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.

All previous Squid-4 releases are affected by both these issues. See the
advisory for further details. Upgrade should be considered a high priority.

* Bug #3826: SMP compatibility with systemd and --foreground option

The process management redesign in Squid-4 has finally reached a point
where we can say Squid is compatible with the systemd init system even
when SMP workers are used. A .service file is provided to control Squid
properly without any noticable glitches or lack of SMP functionality.

These changes are not specific to systemd, the same design fixes many
outstanding issues Squid had with Upstart and OpenRC init systems and
third party daemon managers in general.

* Bug #1979: Add ACL-driven server_pconn_for_nonretriable

This new squid.conf directive allows admin to tune when Squid can re-use
existing persistent connections for requests such as POST which are
usually quite risky. The risk is that the connection gets terminated
suddenly while Squid is still sending and it has to be bumped back to
the client as an error page. Some networks are loaded with enough
traffic that this is only a low risk and can use persistent connections

* Bug #4459: FHS compliance updates

The FHS standard indicates the /var/cache/squid/ path should be used for
cached data. The netdb features data journal fully meets the criteria so
has been moved there. The ssl_crtd database (ssl_db/ directory) almost
meets the criteria, and has been moved due to its security need for
particular path permissions.

Explicitly configured alternative locations will remain where they are.
New installations and implicit default paths will automatically change
to using these locations when upgrading to this Squid version.

* Add reply_header_add directive

This new directivs adds the ability to add custom response headers to
replies sent to the client. Matching the already existing
request_header_add directive which operates on server requests. At
present CONNECT tunnels and 1xx status responses are not affected by
this new directive.

* Add reply_header_add directive

When using SMP functionality Squid makes use of shared memory. If the
system is not able to allocate enough memory Squid can crash with SIGBUS

This new directive adds the ability to pre-allocate all necessary shared
memory when Squid is starting. Doing this will ensure that Squid has the
necessary amount of shared memory available when running (or will halt
during startup), but the process can be quite slow. The default for now
is to retain the old behaviour and allocate shared memory only when it
is needed.

 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to