After three years of development, a stable release of the Squid 5.1 proxy server is presented, ready for use in production systems (releases 5.0.x had the status of beta versions). After making the 5.x branch stable, it will now only fix vulnerabilities and stability issues, and minor optimizations are also allowed. Development of new features will be carried out in a new experimental branch 6.0. Users of the past 4.x stable branch are advised to plan to migrate to the 5.x branch.
Main innovations of Squid 5:
- The implementation of the ICAP protocol (Internet Content Adaptation Protocol), used for integration with external content inspection systems, has added support for the data attachment mechanism (trailer), which allows you to attach additional headers with metadata placed after the message body to the response (for example, you can send a checksum and details of the identified issues).
- When redirecting requests, the "Happy Eyeballs" algorithm is used, which immediately uses the received IP address, without waiting for the resolution of all potentially available IPv4 and IPv6 target addresses. Instead of considering the "dns_v4_first" setting to determine the order in which an IPv4 or IPv6 address family is used, DNS response order is now respected: if a DNS AAAA response arrives first while waiting for an IP address to be resolved, then the resulting IPv6 address will be used. Thus, setting the preferred address family is now done at the firewall, DNS, or startup level with the "--disable-ipv6" option. The proposed change speeds up TCP connection setup time and reduces the performance impact of DNS resolution latency.
- For use in the "external_acl" directive, the "ext_kerberos_sid_group_acl" handler has been added for authentication with group verification in Active Directory using Kerberos. The ldapsearch utility provided by the OpenLDAP package is used to query the group name.
- Support for the Berkeley DB format has been deprecated due to licensing issues. The Berkeley DB 5.x branch has been unmaintained for several years and remains with unpatched vulnerabilities, and switching to newer releases does not allow changing the license to AGPLv3, the requirements of which also apply to applications using BerkeleyDB in the form of a library - Squid is licensed under the GPLv2, and AGPL is incompatible with GPLv2. Instead of Berkeley DB, the project was switched to using the TrivialDB DBMS, which, unlike Berkeley DB, is optimized for simultaneous parallel access to the database. Berkeley DB support has been retained for now, but the "ext_session_acl" and "ext_time_quota_acl" handlers are now recommended to use the "libtdb" storage type instead of "libdb".
- Added support for the CDN-Loop HTTP header, defined in RFC 8586, which allows you to detect loops when using content delivery networks (the header provides protection against situations when a request in the process of redirection between CDNs for some reason returns back to the original CDN, forming an infinite loop ).
- Support for redirecting spoofed (reencrypted) HTTPS requests through other proxy servers specified in cache_peer using a regular tunnel based on the HTTP CONNECT method has been added to the SSL-Bump mechanism, which allows organizing the interception of the contents of encrypted HTTPS sessions (transmission over HTTPS is not supported since Squid cannot yet pass TLS within TLS). SSL-Bump allows, upon receipt of the first intercepted HTTPS request, to establish a TLS connection with the target server and obtain its certificate. After that, Squid uses the hostname from the real certificate received from the server and creates a dummy certificate with which it imitates the requested server when interacting with the client, while continuing to use the TLS connection established with the target server to receive data (so that the substitution does not lead to the output warnings in browsers on the client side, you need to add your certificate used to generate dummy certificates to the root certificate store).
- Added mark_client_connection and mark_client_pack directives to bind Netfilter marks (CONNMARK) to client TCP connections or individual packets.
Following in hot pursuit, the releases of Squid 5.2 and Squid 4.17 were published in which the following vulnerabilities were fixed:
- CVE-2021-28116 - Information leaked while processing WCCPv2 crafted messages. The vulnerability allows an attacker to corrupt the list of known WCCP routers and redirect proxy client traffic to their host. The problem appears only in configurations with WCCPv2 support enabled and when it is possible to spoof the router's IP address.
- CVE-2021-41611 - An error occurred while validating TLS certificates, allowing access using untrusted certificates.
Source: opennet.ru