6df5b7b42f
Please refer release note for other changes: http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html * SQUID-2016:4 - Denial of Service issue in HTTP Response processing http://www.squid-cache.org/Advisories/SQUID-2016_4.txt aka. CVE-2016-3948 This is another of the bugs left unfixed by the SQUID-2016:2 patches. The visible symptom is assertions about: "String.cc:*: 'len_ + len <65536'" There is an attack in the wild for this one, but not as widely as for the previous issues. * SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing. http://www.squid-cache.org/Advisories/SQUID-2016_3.txt aka. CVE-2016-3947 This bug shows up as pinger crashing with Icmp6::Recv errors. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures. All previous Squid-3 releases are affected by both these issues. See the advisory for further details. Upgrade or patching should be considered a high priority. * pinger: drop capabilities on Linux On Linux, it is now possible to install pinger helper with only CAP_NET_RAW permissions raised instead of full setuid-root: (setcap cap_net_raw+ep /path/to/pinger && chmod u-s /path/to/pinger) || : Other operating systems without libcap capabilities features are not affected by this change. * Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion This rather cripling bug appears after the CVE-2016-2569 patch. It turned out to be a race condition closing connections and has now been fully fixed. |
||
|---|---|---|
| .. | ||
| files | ||
| patches | ||
| DESCR | ||
| distinfo | ||
| Makefile | ||
| Makefile.common | ||
| MESSAGE | ||
| options.mk | ||
| PLIST | ||