quick update notes below, but you should still review upstream's
RELEASENOTES.html if you use this.
- if you explicitly configure sslcrtd_program (for advanced tls mitm
configurations) you need to change from /usr/local/libexec/squid/sslcrtd
to /usr/local/libexec/squid/security_file_certgen in your config (if you
just use options on the http_port line to enable this without extra
config, this doesn't need to change).
- if using a cert helper disk cache, you may need to clear/reinitialize
the directory (not mentioned in release notes but I needed this).
- the SMB_LM helpers (for old lanmanager protocol, which should not be
used anyway) are no longer packaged, following upstream's change in default
build.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
While here, fix a number of quite serious escaping errors in
four manual pages that caused loss of important information.
I will also send those upstream.
OK sthen@
<http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>
Incorrect HTTP Request header comparison results in Collapsed
Forwarding feature mistakenly identifying some private responses as
being suitable for delivery to multiple clients.
<http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>
Incorrect processing of responses to If-None-Modified HTTP conditional
requests leads to client-specific Cookie data being leaked to other
clients. Attack requests can easily be crafted by a client to probe a
cache for this information.
on arm (found by Steven Chamberlain), so it seems like it may be a safer
approach (and the next major version requires newer c++ anyway). Based on
a diff from Steven Chamberlain.
