Re: [squid-users] Squid 3.2.0.19 beta is available

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 08 Aug 2012 14:51:19 +0300

On 8/7/2012 10:59 AM, Amos Jeffries wrote:
> mportant changes to note in this release:
>
> * As you should know CVE-2009-0801 security vulnerability protection was
> added in 3.2 series.
>
> Earlier betas attempted to protect peer caches as well as themselves, by
> blocking relay of untrusted requests until we could implement a safe relay.
>
> Due to time constraints this extra layer of peer protection
> has been REMOVED from 3.2 default builds.
>
> Interception cache proxies are themselves well protected against the
> vulnerability, but can indirectly poison any cache heirarchy they are
> integrated with. The -DSTRICT_HOST_VERIFY compile-time flag can be
> defined in CXXFLAGS to re-enable this peer protection if desired. Its
> use is encouraged, but will result in problems for some popular
> configurations. ie ISP interception proxy gatewaying through a cache
> array, matrix of interception proxies as siblings.
>
> Use of the client destination IP (ORIGINAL_DST) is still preferred for
> untrusted requests, so if your proxy is backed by a firewall denial
> please ensure that the rules are REJECT rules rather than DROP for best
> performance. never_direct does not affect this routing preference as it
> does for DIRECT traffic.
I want to verify because i'm a bit confused.
can a intercepted request be forwarded to a cache_peer in any way?

Thanks,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Wed Aug 08 2012 - 11:51:29 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT