* SQUID-2019:8 Multiple Issues in URI processing
Any remote client may access resources which should be restricted
and not available to them. Such as those protected behind client
IP ACLs. Attacker could also gain access to manager services when
Via header is turned off.
Any remote client can perform a Denial of Service on all other
clients using the proxy.
* SQUID-2019:10 HTTP Request Splitting in HTTP message processing
This issue allows attackers to smuggle HTTP requests through
frontend software to a Squid which splits the HTTP Request
pipeline differently. The resulting Response messages corrupt
caches between client and Squid with attacker controlled content
at arbitrary URLs..
Effects are isolated to software between the attacker client and
Squid. There are no effects on Squid itself, nor any upstream
* SQUID-2019:11 Information Disclosure in HTTP Digest Authentication
Nonce tokens contain the raw byte value of a pointer which sits
within heap memory allocation. This information reduces ASLR
protections and may aid attackers isolating memory areas to
target for remote code execution attacks.
This shows up as a DNS failure to resolve the peer name if it was
configured with any upper case characters.
The change to always lower-case peer names may affect configurations
relying on mixed case instead of the name= parameter to allow multiple
entries for a peer name and port.
It may also affect configurations using mixed or upper-case peer names
with the peername or peername_regex ACL type. Admin using these
configurations should take extra care when upgrading as the ACL may not
provide any warnings before starting to non-match for a peer.
* TLS: Multiple SSL-Bump fixes
This release brings multiple important fixes to how Squid SSL-Bump
features parse TLS traffic and interacts with the certificate validation
The issues solved show up as TLS protocol failures with no indication
from TLS traffic trace of any invalid data; or sometimes connection
timeouts. Unfortunately those same effects may come from many other
causes as well which may not be fixed yet.
This version of Squid should now be considered the minimum supported for
debugging TLS protocol weirdness when using SSL-Bump or related features.
* TLS: Fix expiration of self-signed generated certs to be 3 years
The certificate generator previously was generating certificates
slightly short of 3 years expiry timestamp. This is perfectly valid, but
may be surprising for systems expecting a multiple of years.
This release generates new certificates with the updated time period.
Old certificates will continue to be used with the old period until they
expire, or are discarded from the certificate cache.
* TLS: Fix on_unsupported_protocol tunnel action
Instead of tunneling traffic, a matching on_unsupported_protocol
"tunnel" action resulted in a Squid error response sent to the client
(or, where an error response was not possible, in a connection closure).
* Fix several rock cache_dir corruption issues
Previous design of the rock storage system means that rock caches may
become littered with incomplete objects, or objects with incorrect final
chunk. Data protection measures will normally catch these and report
metadata mismatches. However there is a possibility some responses may