From 2284b7f7ca9d99217b95dc3400bd4449c88be1d1 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sun, 28 Aug 2011 01:39:52 -0600 Subject: [PATCH] Prep for 3.1.15 and 3.2.0.11 --- ChangeLog | 27 +++++++++++++++++++++++++++ doc/release-notes/release-3.1.sgml | 2 +- doc/release-notes/release-3.2.sgml | 27 +++++++++++++++++++++++---- 3 files changed, 51 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd8f575938..bf8711d99a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,28 @@ +Changes to squid-3.2.0.11 (28 Aug 2011): + + - Bug 3243: CVE-2009-0801 Bypass of browser same-origin access control + - Host: authority validation of intercepted destination IP + - Host: authority validation of request URL + - Host: authority validation of CONNECT tunnel destination + - Preserve client destination IP in intercepted communication + - Regression Bug 3316: Failed to connect to nameserver using TCP + - Regression Bug 3311: segmentation fault in getMyPort() with only intercept port set + - Regression Bug 3310: % The lack of some features available in Squid-2.x series. See the regression sections below for full details. - CVE-2009-0801 : NAT interception vulnerability to malicious clients. + CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series.

Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are: diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index c7d722810e..7d2becb58d 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -1,6 +1,6 @@

-Squid 3.2.0.10 release notes +Squid 3.2.0.11 release notes Squid Developers @@ -13,13 +13,14 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.2.0.10 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.0.11 for testing. This new release is available for download from or the . While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. -We welcome feedback and bug reports. If you find a bug, please see for how to submit a report with a stack trace. +We welcome feedback and bug reports. If you find a bug, please see for how to submit a +report with a stack trace. Known issues

@@ -34,6 +35,7 @@ The 3.2 change history can be Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients. +

Details in Advisory + +

Squid locates the authority-URL details available in an HTTP request as + defined by RFC 2616 and validates that all found representations are + textually equivalent. In the case of intercepted traffic the + client destination IP is also compared to the Host: authority domains + DNS entries. + +

When the Host: authority contradicts another authority source Squid will log + "SECURITY ALERT: Host: header forgery detected" and respond with a 409 Conflict + error status page. + + SMP scalability

The new "workers" squid.conf option can be used to launch multiple worker processes and utilize multiple CPU cores. The overall intent is to make @@ -393,8 +409,11 @@ This section gives a thorough account of those changes in three categories: client-side delay pool for the request. client_dst_passthru -

New setting to disable Host: header security on interception proxies. +

New setting to disable extra Host: header security on interception proxies. Impacts cache integrity/reliability and client browser security. +

IMPORTANT: disabling this directive only allows Squid to change the + destination IP to another source indicated by Host: domain DNS or + cache_peer configuration. It does not affect Host: validation. cpu_affinity_map

New setting for SMP support to map Squid processes onto specific CPU cores. -- 2.47.3