The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.1.7 release!
This release fixes a number of bugs in the earlier Squid releases.
One regression introduced with 3.1.6 when contacting IPv4-only DNS resolvers opens a small but exploitable DoS vulnerability. All users of Squid-3.1.6 are urged to upgrade to this release as soon as possible.
Several HTTP/1.1 compliance bugs have been resolved. The most noticeable of these is that Squid is now more correctly operating connection keep-alive to clients.
The fix for keep-alive has resolved several apparent bugs in NTLM and Negotiate authentication and brought to light a compatibility issue with the major modern browsers. The issue appears to end-users as multiple browser popups if for any reason they need to supply new NTLM/Negotiate credentials for a connection. The default if unset for NTLM and Negotiate auth_param keep_alive has become OFF to avoid this.
The visible_hostname directive has been updated with several fixes to avoid killing Squid when the machine hostname is mis-configured or unavailable at startup. To retain consistency with existing distributions practice the value of "localhost" is used in the event of a lookup failure.
All users of Squid-3.1.6 are urged to upgrade to this release as soon as possible.
Users of other Squid-3.1 and 3.0 are encouraged to upgrade at their earliest convenience.
FYI I tried to bump this locally (risk assessment :) and the only necessary change was to drop squid-3.1.6-bug3011.patch, since this was fixed upstream. No other changes are necessary. Hope this helps and saves some time.
net-proxy: Please bump.
net-proxy/squid-3.1.8 is out with some security fixes:
This release brings several very important bug fixes, security updates and some HTTP/1.1 improvements into 3.1.
On the security front we have three major additions:
* Fixes for the request processing vulnerability tagged SQUID-2010:3.
* A hardening of the DNS client against packet queueing approaches used to enable attacks. This completes the protection against attacks published by Yamaguchi late in 2009.
* An HTTP request-line parser hardened against several categories of request attack. This greatly increasing the speed of detection and reducing resources used to detect these categories of attack.
Several outstanding major bugs have also been identified and fixed:
- Bug 3020: Segmentation fault: nameservers[vc->ns].vc = NULL
- Bug 3005,2972: Locate LTDL headers correctly (again)
- Bug 2872: leaking file descriptors
- Bug 2583: pure virtual method called
As you can see yet another attempt to get over the libtool / libltdl build issues has been made. If you are building Squid with a libtool 1.x version please try to do so first on these bundles without using any of the hacks and workarounds. For any libltdl or LoadableModules problems in this package please mention in the bug 2972 bugzilla report along with your libtool/libltdl versions.
Due to the security enhancements all users of Squid-3 are urged to upgrade to this release as soon as possible.
Please refer to the release notes at
if and when you are ready to make the switch to Squid-3.1
*** Bug 336217 has been marked as a duplicate of this bug. ***
squid-3.1.8 has been added to the tree.
Arches, please do your magic.
(In reply to comment #6)
> squid-3.1.8 has been added to the tree.
Arch teams, please test and mark stable:
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for PPC.
Stable on alpha.
Stable for HPPA.
The string-comparison functions in String.cci in Squid 3.x before
3.1.8 and 3.2.x before 18.104.22.168 allow remote attackers to cause a
denial of service (NULL pointer dereference and daemon crash) via a
In reverse mode (in front of public webserver/s) there is the possiblity of remote DOS by anyone worldwide. Squid will usually be a critical service.
Also: " There are applications already in general public use which can
trigger this problem for 3.1 and 3.2 on occasion without intended
So, I cancel voting hereby and directly say: GLSA request filed.
(In reply to comment #18)
> version bump!
Please don't hijack other bugs, file a new bug instead.
(In reply to comment #19)
> (In reply to comment #18)
> > version bump!
> > http://www2.de.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_10.html
> Please don't hijack other bugs, file a new bug instead.
Sorry! It was already corrected.
This issue was resolved and addressed in
GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).