Emva kweminyaka emithathu yophuhliso, ukukhululwa okuzinzile kwe-Squid 5.1 iseva ye-proxy ibonakalisiwe, ilungele ukusetyenziswa kwiinkqubo zokuvelisa (ukukhutshwa kwe-5.0.x kwakunesimo seenguqulelo ze-beta). Emva kokuba isebe le-5.x linikwe ubume obuzinzile, ukususela ngoku kuphela ukulungiswa kobuthathaka kunye neengxaki zozinzo ziya kwenziwa kuyo, kunye nokulungiswa okuncinci kuvumelekile. Ukuphuhliswa kweempawu ezintsha kuya kuqhutywa kwisebe elitsha lovavanyo 6.0. Abasebenzisi besebe langaphambili le-4.x bayacetyiswa ukuba bacwangcise ukufudukela kwisebe le-5.x.
Izinto ezintsha eziphambili kwiskwidi 5:
- Ukuphunyezwa kwe-ICAP (i-Internet Content Adaptation Protocol), esetyenziselwa ukudibanisa kunye neenkqubo zangaphandle zokuqinisekisa umxholo, yongeze inkxaso yendlela yokunamathisela idatha (i-trailer), evumela ukuba unamathisele iintloko ezongezelelweyo ngemethadatha kwimpendulo, ebekwe emva komyalezo. umzimba (umzekelo, ungathumela itshekhi kunye neenkcukacha malunga neengxaki ezichongiweyo).
- Xa uthumela izicelo kwakhona, i-algorithm ethi "Iibhola zamehlo eyonwabileyo" isetyenzisiwe, esebenzisa ngokukhawuleza idilesi ye-IP efunyenweyo, ngaphandle kokulinda zonke iidilesi ezinokuthi zifumaneke kwi-IPv4 kunye ne-IPv6 ukuba zisonjululwe. Esikhundleni sokusebenzisa i-"dns_v4_first" isethingi ukumisela ukuba ngaba idilesi ye-IPv4 okanye i-IPv6 yosapho iyasetyenziswa, umyalelo wempendulo ye-DNS ngoku uthathelwa ingqalelo: ukuba impendulo ye-DNS AAAA ifika kuqala xa ilinde idilesi ye-IP ukuba isombulule, ngoko Idilesi ye IPv6 enesiphumo iya kusetyenziswa. Ke, ukuseta idilesi ekhethwayo yosapho ngoku kwenziwa kwifirewall, iDNS okanye inqanaba lokuqalisa ngokhetho "--disable-ipv6". Utshintsho olucetywayo lusivumela ukuba sikhawulezise ixesha lokumisela uxhulumaniso lwe-TCP kunye nokunciphisa impembelelo yokusebenza yokulibaziseka ngexesha lesisombululo se-DNS.
- Ukusetyenziswa kumyalelo we-"external_acl", isibambi se-"ext_kerberos_sid_group_acl" siye songezwa ukuze singqinwe ngokujongwa kweqela kwi-Active Directory kusetyenziswa i-Kerberos. Ukubuza igama leqela, sebenzisa into eluncedo ye-ldapsearch enikezwe yiphakheji ye-OpenLDAP.
- Inkxaso yefomathi ye-Berkeley DB iye yarhoxiswa ngenxa yemicimbi yelayisenisi. Isebe le-Berkeley DB 5.x aligcinwanga iminyaka emininzi kwaye lihlala linobuthathaka obungabhalwanga, kwaye ukutshintshela kukhupho olutsha luthintelwa lutshintsho lwelayisenisi kwi-AGPLv3, iimfuno ezisebenza nakwizicelo ezisebenzisa iBerkeleyDB ngohlobo lwe ithala leencwadi - Iskwidi sinikezelwa phantsi kwelayisensi ye-GPLv2, kwaye i-AGPL ayihambelani ne-GPLv2. Esikhundleni seBerkeley DB, iprojekthi idluliselwe ekusebenziseni i-TrivialDB DBMS, leyo, ngokungafaniyo neBerkeley DB, ilungiselelwe ukufikelela okufanayo okufanayo kwisiseko sedatha. Inkxaso ye-Berkeley DB igcinwe okwangoku, kodwa i-"ext_session_acl" kunye ne-"ext_time_quota_acl" abaphathi ngoku bacebisa ukuba kusetyenziswe uhlobo lokugcina lwe-"libtdb" endaweni ye-"libdb".
- Inkxaso eyongeziweyo ye-CDN-Loop HTTP header, echazwe kwi-RFC 8586, ekuvumela ukuba ubone i-loops xa usebenzisa uthungelwano lonikezelo lomxholo (i-header ibonelela ngokhuseleko kwiimeko xa isicelo kwinkqubo yokuqondisa kwakhona phakathi kwe-CDN ngesizathu esithile sibuyela iCDN yoqobo, yenza iluphu engapheliyo ).
- Indlela ye-SSL-Bump, ekuvumela ukuba uthintele imixholo yeeseshoni ze-HTTPS ezifihliweyo, yongeze inkxaso yokuqondisa kwakhona i-spoofed (i-encrypted kwakhona) izicelo ze-HTTPS ngezinye iiseva ezibambayo ezichazwe kwi-cache_peer, usebenzisa itonela eqhelekileyo esekelwe kwindlela ye-HTTP CONNECT ( Usulelo nge-HTTPS aluxhaswanga, kuba iSquid ayikwazi ukuthutha iTLS ngaphakathi kweTLS). I-SSL-Bump ikuvumela ukuba useke uqhagamshelo lwe-TLS kunye neseva ekujoliswe kuyo xa ufumene isicelo sokuqala esamkelweyo se-HTTPS kwaye ufumane isatifikethi saso. Emva koku, i-squid isebenzisa igama lomninimzi kwisatifikethi sokwenyani esifunyenwe kumncedisi kwaye senze isatifikethi se-dummy, esilinganisa umncedisi oceliweyo xa usebenzisana nomxhasi, ngelixa uqhubeka nokusebenzisa uxhulumaniso lwe-TLS olusekwe kunye nomncedisi ekujoliswe kuwo ukufumana idatha ( ukwenzela ukuba ubuyiselo lungakhokeli kwizilumkiso zemveliso kubakhangeli beencwadi kwicala lomxhasi, kufuneka udibanise isatifikethi sakho esisetyenzisiweyo ukuvelisa iziqinisekiso ezingeyonyani kwivenkile yesatifikethi esiyingcambu).
- I-mark_client_connection eyongeziweyo kunye ne-mark_client_pack imiyalelo yokubopha amanqaku e-Netfilter (CONNMARK) kuqhagamshelwano lomxhasi we-TCP okanye iipakethi zomntu ngamnye.
Kushushu kwizithende zabo, ukukhutshwa kweSquid 5.2 kunye neSquid 4.17 kwapapashwa, apho ubuthathaka balungiswa:
- I-CVE-2021-28116 - Ukuvuza kolwazi xa kusetyenzwa ngokukhethekileyo imiyalezo ye-WCCPv2. Ukuba sesichengeni kuvumela umhlaseli ukuba onakalise uluhlu lweerotha ezaziwayo ze-WCCP kwaye aphinde aqondise itrafikhi esuka kubaxhasi bomncedisi wommeli ukuya kumamkeli wabo. Ingxaki ibonakala kuphela kuqwalaselo kunye nenkxaso ye-WCCPv2 enikwe amandla kwaye xa kunokwenzeka ukuphazamisa idilesi ye-IP yomzila.
- I-CVE-2021-41611 - Umba kwisiqinisekiso se-TLS sokuqinisekisa sivumela ukufikelela usebenzisa izatifikethi ezingathembekanga.
umthombo: opennet.ru