For details see:
http://www.squid-cache.org/Versions/v4/changesets/
and
http://lists.squid-cache.org/pipermail/squid-users/2020-August/022566.html
Fixes (excerpt):
"* SQUID-2020:8 HTTP(S) Request Splitting
(CVE-2020-15811)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.
* SQUID-2020:9 Denial of Service processing Cache Digest Response
(CVE pending allocation)
This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.
* SQUID-2020:10 HTTP(S) Request Smuggling
(CVE-2020-15810)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.
* Bug 5051: Some collapsed revalidation responses never expire
* SSL-Bump: Support parsing GREASEd (and future) TLS handshakes
* Honor on_unsupported_protocol for intercepted https_port"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package failed to build on ARM because atomic functions
are being emulated on ARM32 and the required library was not
linked.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
The 'configure'-option "--disable-ipv6" was removed, it is no longer necessary.
See:
https://lists.ipfire.org/pipermail/development/2016-April/002046.html
"The --disable-ipv6 build option is now deprecated.
...
Squid-3.5.7 and later will perform IPv6 availability tests on startup in
all builds.
- Where IPv6 is unavailable Squid will continue exactly as it would
have had the build option not been used.
These Squid can have the build option removed now."
The warning message concerning a "BCP 177 violation" while
starting 'squid' can be ignored.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details, see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/
Since there were problems with "trailing white spaces" I started a new 'squid_3'
branch from scratch, based on current 'next'.
I hope this is what is needed and that it helps.
This one was built without errors and is running here without seen problems.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Removed unecessary quotations and two configure-options, see:
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.1/squid-3.1.0.16-RELEASENOTES.html
--with-aio
Deprecated. POSIX AIO is now auto-detected and enabled.
Use --without-aio to disable, but only if you really have to.
--with-pthreads
Deprecated. pthreads library is now auto-detected and enabled.
Use --without-pthreads to disable, but only if you really have to.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The 'configure'-options were sorted (kind of) to get a better overview.
Added latest patches from upstream.
Changed '--enable-async-io=8' to '--enable-async-io=16' because of
http://www.squid-cache.org/mail-archive/squid-users/200705/0768.html :
"The default number of threads is dependent on the number of aufs
cache_dir lines, based on a reasonable estimate of how the code behaves."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
Due to a buffer overrun Squid pinger binary is vulnerable to
denial of service or information leak attack when processing
ICMPv6 packets.
This bug also permits the server response to manipulate other
ICMP and ICMPv6 queries processing to cause information leak.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Squid configured with cache_peer and operating on explicit proxy
traffic does not correctly handle CONNECT method peer responses.
The bug is important because it allows remote clients to bypass
security in an explicit gateway proxy.
However, the bug is exploitable only if you have configured
cache_peer to receive CONNECT requests.
http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
