Ngemva kweminyaka emithathu yokuthuthukiswa, ukukhishwa okuzinzile kweseva elibamba ye-squid 5.1 kwethulwe, kulungele ukusetshenziswa kumasistimu okukhiqiza (ukukhishwa okungu-5.0.x bekunesimo sezinguqulo ze-beta). Ngemuva kokuthi igatsha le-5.x linikezwe isimo esizinzile, kusukela manje kuya phambili kuphela ukulungiswa kobungozi kanye nezinkinga zokuzinza kuzokwenziwa kulo, nokuthuthukiswa okuncane nakho kuvunyelwe. Ukuthuthukiswa kwezici ezintsha kuzokwenziwa egatsheni elisha lokuhlola 6.0. Abasebenzisi begatsha langaphambili elizinzile le-4.x bayelulekwa ukuthi bahlele ukuthuthela egatsheni le-5.x.
Okuqanjwe kabusha okubalulekile ku-squid 5:
- Ukuqaliswa kwe-ICAP (Internet Content Adaptation Protocol), esetshenziselwa ukuhlanganiswa nezinhlelo zangaphandle zokuqinisekisa okuqukethwe, kungeze ukusekelwa kwendlela yokunamathisela idatha (i-trailer), ekuvumela ukuthi unamathisele izihloko ezengeziwe ezinemethadatha empendulweni, ebekwe ngemva komlayezo. umzimba (isibonelo, ungathumela isheke nemininingwane mayelana nezinkinga ezikhonjiwe).
- Lapho uqondisa kabusha izicelo, kusetshenziswa i-algorithm ethi “Amabhola Amehlo Ajabule”, esebenzisa ngokushesha ikheli le-IP elitholiwe, ngaphandle kokulinda wonke amakheli ahloselwe ukutholakala e-IPv4 kanye ne-IPv6 ukuthi axazululwe. Esikhundleni sokusebenzisa isilungiselelo esithi "dns_v4_first" ukuze unqume ukuthi ingabe i-IPv4 noma i-IPv6 yomndeni wekheli iyasetshenziswa, ukuhleleka kwempendulo ye-DNS manje sekucatshangelwa: uma impendulo ye-DNS AAAA ifika kuqala lapho ilinde ikheli lasesizindeni se-inthanethi ukuze lixazululwe, bese Ikheli le-IPv6 eliphumela lizosetshenziswa. Ngakho, ukusetha umndeni wamakheli owancanyelwayo manje kwenziwa ku-firewall, i-DNS noma izinga lokuqalisa ngenketho ethi “--disable-ipv6”. Ushintsho oluhlongozwayo lusivumela ukuthi sisheshise isikhathi sokusetha soxhumo lwe-TCP futhi sinciphise umthelela wokusebenza wokulibaziseka phakathi nesinqumo se-DNS.
- Ukuze kusetshenziswe kumyalelo we-"external_acl", isibambi se-"ext_kerberos_sid_group_acl" sengezwe ukuze kuqinisekiswe ukuthi iqembu lihlola ku-Active Directory kusetshenziswa i-Kerberos. Ukuze ubuze igama leqembu, sebenzisa insiza ye-ldapsearch enikezwe iphakheji ye-OpenLDAP.
- Ukusekelwa kwefomethi ye-Berkeley DB kuhoxisiwe ngenxa yezinkinga zamalayisense. Igatsha lase-Berkeley DB 5.x alinakekelwa iminyaka eminingana futhi lisasele nobungozi obungashayiwe, futhi ukushintshela ekukhishweni okusha kuvinjelwa ukushintshwa kwelayisense ku-AGPLv3, izimfuneko ezisebenza nakuzicelo ezisebenzisa i-BerkeleyDB ngendlela umtapo wolwazi - I-squid ihlinzekwa ngaphansi kwelayisensi ye-GPLv2, futhi i-AGPL ayihambisani ne-GPLv2. Esikhundleni se-Berkeley DB, iphrojekthi idluliselwe ekusetshenzisweni kwe-TrivialDB DBMS, leyo, ngokungafani ne-Berkeley DB, elungiselelwe ukufinyelela kanyekanye okufanayo kusizindalwazi. Usekelo lwe-Berkeley DB lugciniwe okwamanje, kodwa izibambi ze-"ext_session_acl" kanye ne-"ext_time_quota_acl" manje zincoma ukusebenzisa uhlobo lwesitoreji lwe-"libtdb" esikhundleni se-"libdb".
- Ukwesekwa okwengeziwe kwesihloko se-CDN-Loop HTTP, esichazwe ku-RFC 8586, esikuvumela ukuthi uthole izihibe lapho usebenzisa amanethiwekhi okulethwa kokuqukethwe (inhlokweni ihlinzeka ngokuvikeleka ezimeni lapho isicelo esiphakathi kokuqondisa kabusha phakathi kwama-CDN ngesizathu esithile sibuyela emuva I-CDN yoqobo, eyakha iluphu engapheli ).
- Indlela ye-SSL-Bump, ekuvumela ukuthi ubambe okuqukethwe kwamaseshini e-HTTPS abethelwe, yengeze usekelo lokuqondisa kabusha izicelo ze-HTTPS ezifihliwe (ezibethelwe kabusha) ngamanye amaseva elibamba ashiwo ku-cache_peer, kusetshenziswa umhubhe ojwayelekile osuselwe endleleni ye-HTTP CONNECT ( ukudluliswa nge-HTTPS akusekelwe, njengoba i-squid ayikwazi okwamanje ukuthutha i-TLS ngaphakathi kwe-TLS). I-SSL-Bump ikuvumela ukuthi usungule uxhumano lwe-TLS neseva eqondiwe lapho uthola isicelo sokuqala esivinjiwe se-HTTPS futhi uthole isitifiketi sayo. Ngemuva kwalokhu, i-squid isebenzisa igama lomethuleli esitifiketini sangempela esitholwe kuseva futhi idale isitifiketi esiyidumi, esilingisa ngaso iseva eceliwe lapho isebenzisana neklayenti, kuyilapho iqhubeka nokusebenzisa uxhumano lwe-TLS olusungulwe neseva eqondiwe ukuze yamukele idatha ( ukuze ukushintshwa kungaholeli kuzixwayiso eziphumayo kuziphequluli ohlangothini lweklayenti, udinga ukwengeza isitifiketi sakho esisetshenziswa ukukhiqiza izitifiketi ezingelona iqiniso esitolo sesitifiketi sempande).
- Kwengezwe i-mark_client_connection neziqondiso zika-mark_client_pack ukuze kuhlanganiswe amamaki e-Netfilter (CONNMARK) ekuxhumekeni kweklayenti le-TCP noma amaphakethe ngamanye.
Okushisayo ezithendeni zabo, ukukhishwa kwe-squid 5.2 kanye ne-squid 4.17 kwashicilelwa, lapho ubungozi balungiswa khona:
- I-CVE-2021-28116 - Ukuvuza kolwazi lapho kucubungula imilayezo eklanywe ngokukhethekile ye-WCCPv2. Ukuba sengozini kuvumela umhlaseli ukuthi onakalise uhlu lwamarutha aziwayo e-WCCP futhi aqondise kabusha ithrafikhi esuka kumakhasimende eseva elibamba ukuya kubasingathi bawo. Inkinga ibonakala kuphela ekucushweni okunoxhaso lwe-WCCPv2 olunikwe amandla futhi lapho kungenzeka konakale ikheli le-IP lomzila.
- I-CVE-2021-41611 - Inkinga ekuqinisekisweni kwesitifiketi se-TLS ivumela ukufinyelela kusetshenziswa izitifiketi ezingathenjwa.
Source: opennet.ru