Squid 5.1 ya zo bayan shekaru uku na ci gaba kuma waɗannan labaransa ne

Bayan shekaru uku na cigaba an saki sabon sigar tabbatacciyar sigar sabar wakilin wakili na Squid 5.1 wanda ke shirye don amfani akan tsarin samarwa (sigogin 5.0.x sun kasance beta).

Bayan sanya reshen 5.x ya tabbata, daga yanzu, gyara kawai za a yi don raunin rauni da lamuran kwanciyar hankali, kuma za a ba da izinin ƙaramin haɓakawa. Za a yi haɓaka sabbin ayyuka a cikin sabon reshe na gwaji 6.0. Ana ƙarfafa masu amfani da tsofaffin reshen 4.x mai ƙarfi don tsara ƙaura zuwa reshen 5.x.

Squid 5.1 Babban Sabbin Sigogi

A cikin wannan sabon sigar An rage tallafin tsarin Berkeley DB saboda lasisin lasisi. Berkeley DB 5.x reshe ba a sarrafa shi tsawon shekaru da yawa kuma yana ci gaba da samun raunin da bai dace ba, da haɓakawa zuwa sabbin sigogi baya ba da damar canza lasisin AGPLv3, abubuwan da buƙatun su ma suka shafi aikace -aikacen da ke amfani da BerkeleyDB a cikin tsarin ɗakin karatu. - An saki Squid a ƙarƙashin lasisin GPLv2 kuma AGPL bai dace da GPLv2 ba.

Maimakon Berkeley DB, an gudanar da aikin don amfani da TrivialDB DBMS, wanda, sabanin Berkeley DB, an inganta shi don samun daidaiton samun damar bayanai. Ana kiyaye tallafin Berkeley DB a yanzu, amma yanzu an ba da shawarar yin amfani da nau'in ajiya na "libtdb" maimakon "libdb" a cikin "ext_session_acl" da "ext_time_quota_acl" direbobi.

Bugu da ƙari, an ƙara tallafi don kanun HTTP CDN-Loop, wanda aka ayyana a cikin RFC 8586, wanda ke ba da damar gano madaukai yayin amfani da hanyoyin sadarwar isar da abun ciki (kanun yana ba da kariya daga yanayin da buƙata, yayin juyawa tsakanin CDNs saboda wani dalili, ya dawo. zuwa CDN na asali, yana samar da madauki mara iyaka).

A gefe guda, tsarin SSL-Bump, wanda ke ba da damar ɗaukar abun ciki na ɓoyayyen zaman HTTPS, hƙarin tallafi don sake juyar da buƙatun HTTPS ta hanyar wasu sabobin wakili da aka ƙayyade a cikin cache_peer ta amfani da rami na yau da kullun dangane da hanyar haɗin HTTP (ba a tallafawa yawo akan HTTPS kamar yadda Squid ba zai iya turo da TLS a cikin TLS ba).

SSL-Bump yana ba da damar, lokacin isowar buƙatun HTTPS na farko, don kafa haɗin TLS tare da sabar uwar garke kuma sami takardar shedar ta. Daga baya, Squid yana amfani da sunan mai masaukin baki na ainihin takardar shaidar da aka karɓa daga sabar kuma ƙirƙirar takardar shaidar karya, wanda yake kwaikwayon uwar garken da aka nema lokacin mu'amala da abokin ciniki, yayin ci gaba da amfani da haɗin TLS da aka kafa tare da uwar garken manufa don karɓar bayanai.

An kuma haskaka cewa aiwatar da ladabi ICAP (Protocol Adaptation Protocol), wanda ake amfani dashi don haɗawa tare da tsarin tabbatar da abun ciki na waje, ya kara tallafi don tsarin abin da aka makala na bayanai wanda ke ba ku damar haɗa ƙarin kanun labarai na metadata zuwa amsar, wanda aka sanya bayan saƙon. jiki.

Maimakon yin la'akari da "dns_v4_first»Don ƙayyade umarnin yin amfani da gidan adireshin IPv4 ko IPv6, yanzu ana yin la’akari da odar amsa a cikin DNS- Idan amsar AAAA daga DNS ta bayyana da farko yayin jiran adireshin IP don warwarewa, za a yi amfani da adireshin IPv6 da aka samu. Sabili da haka, yanzu ana yin saitin adireshin gidan da aka fi so a cikin Tacewar zaɓi, DNS, ko a farawa tare da zaɓi "–disable-ipv6".
Canjin da aka gabatar zai hanzarta lokaci don saita haɗin TCP da rage tasirin aikin jinkiri a ƙudurin DNS.

Lokacin jujjuya buƙatun, ana amfani da algorithm "Farin Ciki na ido", wanda nan take yake amfani da adireshin IP ɗin da aka karɓa, ba tare da jiran duk wani adireshin IPv4 da IPv6 mai yuwuwa da za a warware ba.

Don amfani a cikin umarnin "external_acl", an ƙara direba na "ext_kerberos_sid_group_acl" don tabbatarwa tare da ƙungiyoyin tabbatarwa a cikin Littafin Aiki ta amfani da Kerberos. Ana amfani da kayan aikin ldapsearch da kunshin OpenLDAP yayi don tambayar sunan ƙungiyar.

Ƙara alamar alamar_client_connection da mark_client_pack umarnin don ɗaure alamun Netfilter (CONNMARK) zuwa fakiti ɗaya ko haɗin abokin ciniki na TCP.

A ƙarshe an ambaci cewa bin matakan sigar Squid 5.2 da Squid 4.17 An gyara raunin rauni:

  • CVE-2021-28116-Jarabawar bayanai lokacin sarrafa saƙon WCCPv2 na musamman. Rashin raunin yana ba wa maharin damar lalata jerin sanannun magudanar WCCP da kuma jujjuya zirga -zirga daga wakilin wakili zuwa mai masaukinsa. Matsalar tana bayyana kanta ne kawai a cikin jeri tare da kunna WCCPv2 da aka kunna kuma lokacin da zai yuwu a zuga adireshin IP na na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
  • CVE-2021-41611: kuskure yayin tabbatar da takaddun TLS waɗanda ke ba da damar isa ta amfani da takaddun da ba a amince da su ba.

A ƙarshe, idan kuna son ƙarin sani game da shi, kuna iya bincika cikakkun bayanai A cikin mahaɗin mai zuwa.


Abubuwan da ke cikin labarin suna bin ka'idodinmu na ka'idojin edita. Don yin rahoton kuskure danna a nan.

Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Mai alhakin bayanan: Miguel Ángel Gatón
  2. Dalilin bayanan: Gudanar da SPAM, gudanar da sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.