ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa okuzinzile kweseva elibamba ye-squid 5

Ukukhishwa okuzinzile kweseva elibamba ye-squid 5

Ngemva kweminyaka emithathu yokuthuthukiswa, ukukhishwa okuzinzile kweseva elibamba ye-squid 5.1 kwethulwe, kulungele ukusetshenziswa kumasistimu okukhiqiza (ukukhishwa okungu-5.0.x bekunesimo sezinguqulo ze-beta). Ngemuva kokuthi igatsha le-5.x linikezwe isimo esizinzile, kusukela manje kuya phambili kuphela ukulungiswa kobungozi kanye nezinkinga zokuzinza kuzokwenziwa kulo, nokuthuthukiswa okuncane nakho kuvunyelwe. Ukuthuthukiswa kwezici ezintsha kuzokwenziwa egatsheni elisha lokuhlola 6.0. Abasebenzisi begatsha langaphambili elizinzile le-4.x bayelulekwa ukuthi bahlele ukuthuthela egatsheni le-5.x.

Okuqanjwe kabusha okubalulekile ku-squid 5:

  • Ukuqaliswa kwe-ICAP (Internet Content Adaptation Protocol), esetshenziselwa ukuhlanganiswa nezinhlelo zangaphandle zokuqinisekisa okuqukethwe, kungeze ukusekelwa kwendlela yokunamathisela idatha (i-trailer), ekuvumela ukuthi unamathisele izihloko ezengeziwe ezinemethadatha empendulweni, ebekwe ngemva komlayezo. umzimba (isibonelo, ungathumela isheke nemininingwane mayelana nezinkinga ezikhonjiwe).
  • Uma kuthunyelwa kabusha izicelo, kusetshenziswa i-algorithm ethi "Happy Eyeballs", esebenzisa ngokushesha ikheli le-IP elitholiwe ngaphandle kokulinda ukuthi wonke amakheli atholakalayo e-IPv4 kanye ne-IPv6 axazululwe. Esikhundleni sokusebenzisa isethingi ethi "dns_v4_first" ukuze kunqunywe ukuthi kufanele kusetshenziswe kanjani umndeni wekheli le-IPv4 noma le-IPv6, i-oda lempendulo ye-DNS manje selicatshangelwa: uma, ngesikhathi kusalindelwe isixazululo, Amakheli e-IP Uma impendulo yokuqala ye-DNS AAAA itholakele, kuzosetshenziswa ikheli le-IPv6 eliphumayo. Ngakho-ke, ukumisa umndeni wekheli okhethwayo manje kwenziwa ezingeni lomlilo, i-DNS, noma lokuqalisa ngenketho ethi "--disable-ipv6". Lolu shintsho oluphakanyisiwe luthuthukisa izikhathi zokusetha uxhumano lwe-TCP futhi lunciphisa umthelela wokubambezeleka kwesixazululo se-DNS ekusebenzeni.
  • Ukuze kusetshenziswe kumyalelo we-"external_acl", isibambi se-"ext_kerberos_sid_group_acl" sengezwe ukuze kuqinisekiswe ukuthi iqembu lihlola ku-Active Directory kusetshenziswa i-Kerberos. Ukuze ubuze igama leqembu, sebenzisa insiza ye-ldapsearch enikezwe iphakheji ye-OpenLDAP.
  • Ukusekelwa kwefomethi ye-Berkeley DB kuhoxisiwe ngenxa yezinkinga zamalayisense. Igatsha lase-Berkeley DB 5.x alinakekelwa iminyaka eminingana futhi lisasele nobungozi obungashayiwe, futhi ukushintshela ekukhishweni okusha kuvinjelwa ukushintshwa kwelayisense ku-AGPLv3, izimfuneko ezisebenza nakuzicelo ezisebenzisa i-BerkeleyDB ngendlela umtapo wolwazi - I-squid ihlinzekwa ngaphansi kwelayisensi ye-GPLv2, futhi i-AGPL ayihambisani ne-GPLv2. Esikhundleni se-Berkeley DB, iphrojekthi idluliselwe ekusetshenzisweni kwe-TrivialDB DBMS, leyo, ngokungafani ne-Berkeley DB, elungiselelwe ukufinyelela kanyekanye okufanayo kusizindalwazi. Usekelo lwe-Berkeley DB lugciniwe okwamanje, kodwa izibambi ze-"ext_session_acl" kanye ne-"ext_time_quota_acl" manje zincoma ukusebenzisa uhlobo lwesitoreji lwe-"libtdb" esikhundleni se-"libdb".
  • Ukwesekwa okwengeziwe kwesihloko se-CDN-Loop HTTP, esichazwe ku-RFC 8586, esikuvumela ukuthi uthole izihibe lapho usebenzisa amanethiwekhi okulethwa kokuqukethwe (inhlokweni ihlinzeka ngokuvikeleka ezimeni lapho isicelo esiphakathi kokuqondisa kabusha phakathi kwama-CDN ngesizathu esithile sibuyela emuva I-CDN yoqobo, eyakha iluphu engapheli ).
  • Indlela ye-SSL-Bump, ekuvumela ukuthi ubambe okuqukethwe kwamaseshini e-HTTPS abethelwe, yengeze usekelo lokuqondisa kabusha izicelo ze-HTTPS ezifihliwe (ezibethelwe kabusha) ngamanye amaseva elibamba ashiwo ku-cache_peer, kusetshenziswa umhubhe ojwayelekile osuselwe endleleni ye-HTTP CONNECT ( ukudluliswa nge-HTTPS akusekelwe, njengoba i-squid ayikwazi okwamanje ukuthutha i-TLS ngaphakathi kwe-TLS). I-SSL-Bump ikuvumela ukuthi usungule uxhumano lwe-TLS neseva eqondiwe lapho uthola isicelo sokuqala esivinjiwe se-HTTPS futhi uthole isitifiketi sayo. Ngemuva kwalokhu, i-squid isebenzisa igama lomethuleli esitifiketini sangempela esitholwe kuseva futhi idale isitifiketi esiyidumi, esilingisa ngaso iseva eceliwe lapho isebenzisana neklayenti, kuyilapho iqhubeka nokusebenzisa uxhumano lwe-TLS olusungulwe neseva eqondiwe ukuze yamukele idatha ( ukuze ukushintshwa kungaholeli kuzixwayiso eziphumayo kuziphequluli ohlangothini lweklayenti, udinga ukwengeza isitifiketi sakho esisetshenziswa ukukhiqiza izitifiketi ezingelona iqiniso esitolo sesitifiketi sempande).
  • Kwengezwe i-mark_client_connection neziqondiso zika-mark_client_pack ukuze kuhlanganiswe amamaki e-Netfilter (CONNMARK) ekuxhumekeni kweklayenti le-TCP noma amaphakethe ngamanye.

Okushisayo ezithendeni zabo, ukukhishwa kwe-squid 5.2 kanye ne-squid 4.17 kwashicilelwa, lapho ubungozi balungiswa khona:

  • I-CVE-2021-28116 - Ukuvuza kolwazi lapho kucubungula imilayezo eklanywe ngokukhethekile ye-WCCPv2. Ukuba sengozini kuvumela umhlaseli ukuthi onakalise uhlu lwamarutha aziwayo e-WCCP futhi aqondise kabusha ithrafikhi esuka kumakhasimende eseva elibamba ukuya kubasingathi bawo. Inkinga ibonakala kuphela ekucushweni okunoxhaso lwe-WCCPv2 olunikwe amandla futhi lapho kungenzeka konakale ikheli le-IP lomzila.
  • I-CVE-2021-41611 - Iphutha Lokuqinisekisa Izitifiketi ze-TLS, okuvumela ukufinyelela usebenzisa izitifiketi ezingathembekile.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster