The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-5.2 release!

This release is a security release resolving several
vulnerabilities and bugs found in the prior Squid releases.

The major changes to be aware of:

 * SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2
   (CVE-2021-28116 aka ZDI-CAN-11610)

 Due to an out of bounds memory access Squid is vulnerable to an
 information leak vulnerability when processing WCCPv2 messages.

 This problem allows a WCCPv2 sender to corrupt Squids list of
 known WCCP routers and divert client traffic to attacker
 controlled routers.

 This attack is limited to Squid proxy with WCCPv2 enabled and
 IP spoofing of a router IP address configured as trusted in

 * SQUID-2021:6 Improper Certificate Validation of TLS server

 When validating an origin server or peer certificate, Squid may
 incorrectly classify certain certificates as trusted.

 This problem allows a remote server to obtain security trust
 when the trust is not valid. This indication of trust may be
 passed along to clients allowing access to unsafe or hijacked

 This problem is guaranteed to occur when multiple CA have
 signed the TLS server certificate. It may also occur in cases
 of broken server certificate chains.

 * Bug 4922: Improve ftp://... filename extraction

 Since 3.5 Squid has incorrectly truncated FTP downloads when
 the transfer is made in ASCII mode (with ';type=' argument).
 This release can be expected to work when downloading from all
 FTP servers.

 * Bug 5164: a copy-paste typo in HttpHdrCc::hasMinFresh()

 This bug shows up as incorrect HIT and MISS results when
 caching responses from a server using Cache-Control:min-fresh.

  All users of Squid are encouraged to upgrade as soon as

See the ChangeLog for the full list of changes in this and
earlier releases.

Please refer to the release notes at
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug

Amos Jeffries
squid-announce mailing list

Reply via email to