Squid

Squid is an open source, full-featured and high-performance web proxy cache application that can be arranged hierarchically for an improvement in response time and a reduction in bandwidth usage.

It works by first caching frequently used websites and then reuse them to provide users with a much faster web browsing experience, as well as to reduce the costs of their expensive Internet plans.

Supports a wide range of protocols

The application supports proxying and caching of the well known HTTP/HTTPS and FTP Internet protocols, as well as other URLs. Furthermore, it supports proxying for SSL (Secure Sockets Layer), cache hierarchies, cache digests, transparent caching, extensive access controls, HTTP server acceleration, and caching of DNS (Domain Name System) lookups.

In addition, it supports the ICP (Internet Cache Protocol), HTCP (Hypertext caching protocol), CARP (Common Address Redundancy Protocol), SNMP (Simple Network Management Protocol), and WCCP (Web Cache Communication Protocol) specifications.

Used by many ISPs around the world

The program is mostly used by ISPs (Internet Service Providers) who want to deliver their users with ultra fast and high quality Internet connections, especially for intense web browsing sessions. It is also used by several websites to deliver rich multimedia content faster.

Being the result of many contributions by unpaid and paid volunteers, the Squid project has been successfully tested with popular GNU/Linux distributions, as well as with the Microsoft Windows operating systems.

Squid is an important project for all home Internet users, but it was extremely useful a few years ago when there weren’t so many high-speed Internet Service Providers (ISPs) out there.

Bottom line

These days, thanks to the ever-growing network technologies, one those not need to install and configure a Squid proxy cache server in order to have a faster web browsing experience. However, this doesn’t mean that it’s not useful in some third world countries where high-speed Internet connection is still available only to rich people or big companies.

What is new in this release:

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version :

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version 3.5.9:

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version 3.5.6:

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version 3.5.4:

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version 3.5.2:

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version 3.5.1:

• The major changes to be aware of:
• CVE-2014-0128 : SQUID-2014:1 Denial of Service in SSL-Bump http://www.squid-cache.org/Advisories/SQUID-2014_1.txt This problem occurs in SSL-Bumped traffic and most severely when using server-first bumping. It allows any client who can generate HTTPS requests to perform a denial of service attack on Squid. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities.
• Bug #4029: intercepted HTTPS requests bypass caching checks:
• This bug caused Squid to cache responses to HTTPS requests where the caching should have been rejected due to the method. Resulting in HITs short-circuiting transactions which should have been relayed to the origin server.
• Bug #4026: SSL and adaptation_access on aborted connections:
• When performing adaptation on SSL traffic it was possible for a trusted client to crash Squid. This was only possible during the very narrow time of selecting which adaptation service(s) to perform, so the security impact is very unlikely. However in configurations using slow ACL tests or external ACL helpers the risk is much increased.
• Bug #3969: credentials caching for Digest authentication:
• This bug resulted in Digest authentication incorrectly authenticating requests against the wrong user credentials and forcing re-authentication. While this fail-closed behaviour is safe from a security viewpoint it can result in large bandwidth usage on affected Squid.
• Bug #3769: client_netmask not evaluated since Comm redesign:
• This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored.
• Bug #3186 and #3628: Digest authentication always sending stale=false:
• These bugs resulted in the client software wrongly determining Digest authentication as failed and/or re-authentication popups occuring on every nonce TTL expiry.
• Several portability issues have also been resolved:
• The resolved issues are largly visible as compile failure regarding cstdio, strsep(), and various CMSG symbols. These issue affected all BSD based systems as well as several Unix based.

What is new in version 3.2.2:

• CVE-2009-0801 : NAT interception vulnerability to malicious clients.
• NCSA helper DES algorithm password limits
• SMP scalability
• Helper Multiplexer and On-Demand
• Helper Name Changes
• Multi-Lingual manuals
• Solaris 10 pthreads Support
• Surrogate/1.0 protocol extensions to HTTP
• Logging Infrastructure Updated
• Client Bandwidth Limits
• Better eCAP support
• Cache Manager access changes

What is new in version 3.1.10:

• This version brings a long list of bug fixes and some further HTTP/1.1 improvements.
• Some small but cumulative memory leaks were found and fixed in Digest authentication and adaptation ACL processing.
• New limits are placed on memory consumption when uploading files and when using delay pools.
• Users of Squid-3 experiencing memory or large cache problems are urged to upgrade as soon as possible.