The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.24 release!
This release is a bug fix release resolving several issues found in the
prior Squid releases.
The major changes to be aware of:
* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
Recent alterations to the SSL-Bump feature logic were found to be
breaking the measure put in place to disable TLS renegotiation.
Since some TLSv1.2+ mechanisms actively require it and the upcoming
OpenSSL v1.1+ make it quite hard to disable, we have decided to mitigate
the vulnerability by implementing a rate limit on renegotiation instead
of an outright disable.
* SSLv2 records force SslBump bumping despite a matching step2 peek rule.
This bug shows up as SSLv2 connections being bumped to deliver an error
when they should have been spliced as configured. Squid will now splice
all connections it has been configured to regardless of whether the
obsolete SSLv2 syntax is being used.
When bumping or receiving the connection itself Squid will still reject
SSLv2. Only spliced traffic is affected by this.
* Update External ACL helpers error handling and caching
The Squid helper protocol has undergone several important changes but
the external ACL logic and bundled helpers have not kept up. The ACL
logics handling helper replies also had some bugs in the event of helper
This release fixes those various bugs and updates all the bundled
helpers to make use of the BH (BrokenHelper) status to signal internal
errors differently to ACL denial.
* Bug #3940 pt2: Make 'cache deny' do what is documented
There was a small regression in 3.5.23 release fix for bug 3940. The
'cache deny' rules were not being obeyed. Surprisingly this has had no
Perhapse that is a sign that anyone using 'cache deny' rules should
reasses whether those rules are still useful in these latest Squid releases.
All users of Squid-3 are encouraged to upgrade to this release as
soon as possible.
See the ChangeLog for the full list of changes in this and earlier
On 01/30/2017 12:08 AM, Amos Jeffries wrote:
> * Bug #3940 pt2: Make 'cache deny' do what is documented
> There was a small regression in 3.5.23 release fix for bug 3940. The
> 'cache deny' rules were not being obeyed. Surprisingly this has had no
There were complaints. That "small regression" had significant costs for
some admins and some developers.