Mushure memakore matatu ebudiriro, kuburitswa kwakagadzikana kweSquid 5.1 proxy server kwaunzwa, yakagadzirira kushandiswa pamasisitimu ekugadzira (inoburitswa 5.0.x yaive nechimiro chebeta shanduro). Mushure mokunge 5.x bazi rapiwa mamiriro akagadzikana, kubva zvino zvichienda mberi zvinongogadziriswa zvekushaya simba uye zvinetso zvekugadzikana zvichaitwa mairi, uye zvigadziridzo zviduku zvinobvumirwawo. Kugadziridzwa kwezvinhu zvitsva kuchaitwa mubazi idzva rekuyedza 6.0. Vashandisi vebazi rekare rakatsiga 4.x vanorairwa kuronga kutamira kubazi re5.x.
Zvitsva zvakakosha muSquid 5:
- Kuitwa kweiyo ICAP (Internet Content Adaptation Protocol), inoshandiswa kubatanidza neyekunze yekuongorora zvemukati masisitimu, yakawedzera tsigiro yedata yekubatanidza nzira (trailer), iyo inokutendera kuti ubatanidze mimwe misoro ine metadata kune mhinduro, yakaiswa mushure memeseji. muviri (semuenzaniso, unogona kutumira cheki uye ruzivo nezve matambudziko akaonekwa).
- Paunenge uchitungamira zvikumbiro, iyo "Happy Eyeballs" algorithm inoshandiswa, iyo inokurumidza kushandisa iyo yakagamuchirwa IP kero, pasina kumirira ese anogona kuwanikwa IPv4 uye IPv6 tarisiro kero kuti igadziriswe. Panzvimbo yekufunga nezve "dns_v4_first" marongero kuti uone kana IPv4 kana IPv6 kero yemhuri inoshandiswa, kurongeka kwemhinduro yeDNS kwave kutariswa: kana iyo DNS AAAA mhinduro yasvika pekutanga pakumirira IP kero kugadzirisa, ipapo kero yeIPv6 inoguma ichashandiswa. Nekudaro, kuseta yaunofarira kero mhuri iko zvino kwaitwa pafirewall, DNS kana nhanho yekutanga ne "--disable-ipv6" sarudzo. Shanduko yakarongwa inotibvumira kukurumidzira nguva yekumisikidza yeTCP yekubatanidza uye kuderedza kushanda kunokanganisa kunonoka panguva yeDNS resolution.
- Kuti ishandiswe mu "external_acl" rairo, "ext_kerberos_sid_group_acl" inobata yawedzerwa kuti isimbiswe neboka rinotarisa muActive Directory uchishandisa Kerberos. Kubvunza zita reboka, shandisa ldapsearch utility yakapihwa neOpenLDAP package.
- Rutsigiro rweBerkeley DB fomati yakadzikiswa nekuda kwenyaya dzemarezenisi. Bazi reBerkeley DB 5.x harina kuchengetwa kwemakore akati wandei uye rinoramba riine hurema husina kurongeka, uye shanduko yekubuda patsva inodzivirirwa nekushandurwa kwerezinesi kuenda kuAGPLv3, izvo zvinodikanwa zvinoshandawo kune zvikumbiro zvinoshandisa BerkeleyDB nenzira ye. raibhurari - Squid inopihwa pasi peGPLv2 rezinesi, uye AGPL haienderani neGPLv2. Panzvimbo yeBerkeley DB, purojekiti yakaendeswa kune kushandiswa kweTrivialDB DBMS, iyo, kusiyana neBerkeley DB, yakagadziridzwa kuti iwanikwe panguva imwe chete yakafanana kune database. Rutsigiro rweBerkeley DB rwakachengeterwa izvozvi, asi "ext_session_acl" uye "ext_time_quota_acl" vanobata zvino vakurudzira kushandisa "libtdb" yekuchengetedza mhando pachinzvimbo che "libdb".
- Yakawedzera tsigiro yeCDN-Loop HTTP musoro, inotsanangurwa muRFC 8586, iyo inokutendera kuti uone zvishwe kana uchishandisa zvemukati zvekutumira network (musoro unopa dziviriro kumamiriro ezvinhu kana chikumbiro chiri munzira yekudzoreredza pakati peCDNs nekuda kwechimwe chikonzero chinodzokera kumashure. yepakutanga CDN, ichigadzira risingaperi loop ).
- Iyo SSL-Bump mechanism, iyo inokutendera kuti utore zviri mukati meiyo encrypted HTTPS masesheni, yakawedzera rutsigiro rwekutungamirazve spoofed (re-encrypted) zvikumbiro zveHTTPS kuburikidza nemamwe maseva eproxy anotsanangurwa mucache_peer, uchishandisa mugero wenguva dzose wakavakirwa paHTTP CONNECT nzira ( kutapurirana kuburikidza neHTTPS hakutsigirwe, sezvo squid haisati yakwanisa kutakura TLS mukati meTLS). SSL-Bump inokutendera iwe kuti umise TLS yekubatanidza neyekunangwa sevha kana wagamuchira yekutanga yakabvumwa chikumbiro cheHTTPS uye wowana chitupa chayo. Mushure meizvi, Squid inoshandisa zita rekutambira kubva kune chaiyo chitupa chakagamuchirwa kubva kuseva uye inogadzira dummy chitupa, iyo inotevedzera iyo yakakumbirwa sevha kana ichidyidzana nemutengi, ichienderera mberi nekushandisa iyo TLS yekubatanidza yakagadzwa nevavariro server kugamuchira data ( kuitira kuti kutsiva kusatungamira kune yambiro yekubuda mumabhurawuza padivi remutengi, unofanirwa kuwedzera chitupa chako chinoshandiswa kugadzira zvitupa zvekunyepedzera kuchitoro chezvitupa).
- Yakawedzera mark_client_connection uye mark_client_pack mirairo yekubatanidza Netfilter mamaki (CONNMARK) kune mutengi TCP makubatanidza kana mapaketi ega.
Kupisa pazvitsitsinho zvavo, kuburitswa kweSquid 5.2 uye Squid 4.17 kwakaburitswa, umo kusasimba kwakagadziriswa:
- CVE-2021-28116 - Ruzivo rwekudonha kana uchigadzira akagadzirwa akagadzirwa WCCPv2 meseji. Kusagadzikana kunobvumira anorwisa kukanganisa runyorwa rwevanozivikanwa WCCP routers uye kutungamira traffic kubva kune proxy server vatengi kune avo vanovagamuchira. Dambudziko rinongoonekwa mukumisikidzwa neWCCPv2 tsigiro yakagoneswa uye kana zvichikwanisika kukanganisa IP kero ye router.
- CVE-2021-41611 - Nyaya iri muTLS yekusimbisa chitupa inobvumira kupinda uchishandisa zvitupa zvisina kuvimbika.
Source: opennet.ru