SQUID-2021:1 Denial of Service in URN processing
SQUID-2021:2 Denial of Service in HTTP Response Processing
SQUID-2021:3 Denial of Service issue in Cache Manager
SQUID-2021:4 Multiple issues in HTTP Range header
SQUID-2021:5 Denial of Service in HTTP Response Processing
SQUID-2020:3 - Due to incorrect buffer handling Squid is vulnerable to
cache poisoning, remote execution, and denial of service attacks when
processing ESI responses.
SQUID-2020:4 - Due to an integer overflow bug Squid is vulnerable to
credential replay and remote code execution attacks against HTTP Digest
Authentication tokens.
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
quick update notes below, but you should still review upstream's
RELEASENOTES.html if you use this.
- if you explicitly configure sslcrtd_program (for advanced tls mitm
configurations) you need to change from /usr/local/libexec/squid/sslcrtd
to /usr/local/libexec/squid/security_file_certgen in your config (if you
just use options on the http_port line to enable this without extra
config, this doesn't need to change).
- if using a cert helper disk cache, you may need to clear/reinitialize
the directory (not mentioned in release notes but I needed this).
- the SMB_LM helpers (for old lanmanager protocol, which should not be
used anyway) are no longer packaged, following upstream's change in default
build.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
While here, fix a number of quite serious escaping errors in
four manual pages that caused loss of important information.
I will also send those upstream.
OK sthen@
