Squid Changelog

New in version 3.4.4

March 12th, 2014
  • The major changes to be aware of:
  • CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
  • Bug #4029: intercepted HTTPS requests bypass caching checks:
  • This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
  • Bug #4026: SSL and adaptation_access on aborted connections:
  • When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
  • Bug #3969: credentials caching for Digest authentication:
  • This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
  • Bug #3769: client_netmask not evaluated since Comm redesign:
  • This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
  • Bug #3186 and #3628: Digest authentication always sending stale=false:
  • These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
  • Several portability issues have also been resolved:
  • The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

New in version 3.2.2 (October 6th, 2012)

  • CVE-2009-0801 : NAT interception vulnerability to malicious clients.
  • NCSA helper DES algorithm password limits
  • SMP scalability
  • Helper Multiplexer and On-Demand
  • Helper Name Changes
  • Multi-Lingual manuals
  • Solaris 10 pthreads Support
  • Surrogate/1.0 protocol extensions to HTTP
  • Logging Infrastructure Updated
  • Client Bandwidth Limits
  • Better eCAP support
  • Cache Manager access changes

New in version 3.1.10 (February 28th, 2011)

  • This version brings a long list of bug fixes and some further HTTP/1.1 improvements.
  • Some small but cumulative memory leaks were found and fixed in Digest authentication and adaptation ACL processing.
  • New limits are placed on memory consumption when uploading files and when using delay pools.
  • Users of Squid-3 experiencing memory or large cache problems are urged to upgrade as soon as possible.