[squid-announce] Squid 5.0.3 beta is available

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[squid-announce] Squid 5.0.3 beta is available

Amos Jeffries
Administrator
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.3 beta release!


This release is a security and feature update release resolving
several issues found in the prior Squid releases.


The major changes to be aware of:

 * SQUID-2020:5 Denial of Service when using SMP cache
   (CVE-2020-14059)

This problem may allow a remote client to trigger a Squid worker
assertion.

This attack is limited to SMP Squids using shared memory cache
and/or an SMP rock disk cache.


See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_5.txt>


 * SQUID-2020:6 Denial of Service issue in TLS handshake
   (CVE-2020-14058)

This problem allows a trusted client to perform Denial of Service
when opening TLS connections with a server for HTTPS.

This problem allows a trusted client to perform Denial of Service
when opening TLS connections to a server for SSL-Bump intercepted
transactions.

This attack is limited to Squid built with OpenSSL features and
opening peer or server connections for HTTPS traffic and SSL-Bump
server handshakes.

See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt>


 * Happy Eyeballs: Do not discard viable reforwarding destinations

When Happ Eyeballs starts opening two connections, both destinations
are removed from the destinations list. As soon as one connection
(X) succeeded, the other destination (Y) was essentially forgotten. If
Squid, after using X, decided to reforward the request, then the request
was never reforwarded to Y. We now return Y to the list of possible
destinations.



  All users of Squid-5 are urged to upgrade as soon as possible.

  All users of Squid-4 and older are encouraged to plan for upgrade.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v5/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
_______________________________________________
squid-announce mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-announce
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] Squid 5.0.3 beta is available

mikio.kishi
Hi, Amos

Do you have any plans to release the official stable version for squid5 ?
I'm strongly interested in squid5 features. So, if you have any schedules, please let me know.

Regards,
--
Mikio Kishi

On Fri, Jun 19, 2020 at 9:41 PM Amos Jeffries <[hidden email]> wrote:
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.3 beta release!


This release is a security and feature update release resolving
several issues found in the prior Squid releases.


The major changes to be aware of:

 * SQUID-2020:5 Denial of Service when using SMP cache
   (CVE-2020-14059)

This problem may allow a remote client to trigger a Squid worker
assertion.

This attack is limited to SMP Squids using shared memory cache
and/or an SMP rock disk cache.


See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_5.txt>


 * SQUID-2020:6 Denial of Service issue in TLS handshake
   (CVE-2020-14058)

This problem allows a trusted client to perform Denial of Service
when opening TLS connections with a server for HTTPS.

This problem allows a trusted client to perform Denial of Service
when opening TLS connections to a server for SSL-Bump intercepted
transactions.

This attack is limited to Squid built with OpenSSL features and
opening peer or server connections for HTTPS traffic and SSL-Bump
server handshakes.

See the advisory for patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt>


 * Happy Eyeballs: Do not discard viable reforwarding destinations

When Happ Eyeballs starts opening two connections, both destinations
are removed from the destinations list. As soon as one connection
(X) succeeded, the other destination (Y) was essentially forgotten. If
Squid, after using X, decided to reforward the request, then the request
was never reforwarded to Y. We now return Y to the list of possible
destinations.



  All users of Squid-5 are urged to upgrade as soon as possible.

  All users of Squid-4 and older are encouraged to plan for upgrade.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v5/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
_______________________________________________
squid-announce mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-announce

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] Squid 5.0.3 beta is available

Amos Jeffries
Administrator
On 20/06/20 6:14 pm, mikio.kishi wrote:
> Hi, Amos
>
> Do you have any plans to release the official stable version for squid5 ?
> I'm strongly interested in squid5 features. So, if you have any
> schedules, please let me know.
>


The release process is documented at
<https://wiki.squid-cache.org/ReleaseProcess>

"stable" happens when I (as maintainer) am confident that there are no
fixable major bugs in the new code.


You do not have to wait for that status to start using any Squid
version. Squid-5.0.1 came out when the code was determined to be usable
for many installations. We just recommend that you test beta releases
well before use.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users