Linux System Administrator
Email: [hidden email]
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Tuesday, July 31, 2018 9:09 AM
To: [hidden email] Subject: [squid-users] [squid-announce] Squid 3.5.28 is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.28 release!
This release is a security fix release resolving several major issues found in the prior Squid releases.
REMINDER: This and older releases are already deprecated by
The major changes to be aware of:
* SQUID-2018:1 / CVE-2018-1000024
Crash processing SSL-Bumped traffic containing ESI
This bug occurs when Squid is configured with rock only storage. After a long period of high load or a shorter period of extremely high load, disk IO drops entirely. Even after giving Squid time to recover and then resuming a low load the diskers were just not doing anything.
A lot of "run out of shared memory pages for IPC I/O" errors may be seen during the high load, which continues to remain on smaller loads after the recovery time.
This problem appears as a crash when Squid is operating with multiple workers and receiving IPv6 SNMP queries.
* Bug 2821: Ignore Content-Range in non-206 responses
Squid used to honor Content-Range header in HTTP 200 OK (and possibly other non-206) responses, truncating (and possibly enlarging) some response bodies. RFC 7233 declares Content-Range meaningless for standard HTTP status codes other than 206 and 416. Squid now relays meaningless Content-Range as is, without using its value.
* SSL-Bump: fix authentication with schemes other than Basic
Squid-3.4.5 included a fix for handling Basic authentication of a CONNECT tunnel which is being bump'ed. Requests within it were intended to inherit the credentials of the tunnel. Allowing Squid ACLs to use authentication tests on the bumped traffic.
This release finally extends that fix to make bumped traffic inherit the authentication credentials from the CONNECT tunnel regardless of authentication type.
* TPROXY: Fix clientside_mark and client port logging
The clientside_mark ACL was not working with TPROXY because a conntrack query could not find connmark without a true client port.
This also affected helpers and ACLs using client dst-port number prior to logging when traffic was received with TPROXY.
* Fix "Cannot assign requested address" for to-origin TPROXY FTP data
This release adds the capability for TPROXY to be used on Native FTP traffic (received at ftp_port). Prior releases would present the above error when establishing FTP data connection and abort the transaction.
All users of Squid-3 with SSL-Bump functionality are encouraged to upgrade to this release as soon as possible.
All other users of Squid-3 are encouraged to upgrade to this release as time permits.
See the ChangeLog for the full list of changes in this and earlier releases.