The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.9 release!

This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:5 - Buffer overflow in cachemgr.cgi
    aka. CVE-2016-4051

Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.

* SQUID-2016:6 - Multiple issues in ESI processing.
    aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.

At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.

Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
at risk. Check the advisory for more specific details on determining
whether your Squid is vulnerable.

* Add a new error page token for unquoted external ACL messages.

This small feature addition may be of use to those who have been asking
for ways to insert content into Squid error pages from external ACL
helper responses.

* Stop parsing response prefix after discovering an "HTTP/0.9" response.

It appears that there are still some very old servers out there or at
least services using port 80 for non-HTTP protocols. The new Squid-4
parser has not been dealing with these very well. This release should be
a lot more stable with the HTTP/1.1 conversion of that response traffic.

 All users of Squid-4.0.x are urged to upgrade to this release as soon
as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to