Squid 5.1 inosvika mushure memakore matatu ebudiriro uye aya ndiwo matsva ayo

Darkcrizt

4 maminitsi

Mushure memakore matatu ekuvandudza kuburitswa kweshanduro nyowani yakagadzikana yeiyo squid 5.1 proxy server yakaratidzwa iyo yakagadzirira kushandiswa pane zvigadzirwa zvekugadzira (shanduro 5.0.x dzaive beta).

Mushure mekugadzira iyo 5.x bazi kugadzikana, kubva ikozvino zvichienda mberi, zvigadziriso chete zvichaitirwa kusagadzikana uye kugadzikana nyaya, uye kudzoreredzwa kudiki kuchabvumidzwa. Kuvandudzwa kwemabasa matsva kuchaitwa mubazi idzva rekuyedza 6.0. Vashandisi vekare 4.x bazi rakatsiga vanokurudzirwa kuronga kutamira kubazi re5.

Squid 5.1 Main Zvitsva Zvimiro

Mune iyi vhezheni itsva Berkeley DB fomati rutsigiro rwakadzikiswa nekuda kwenyaya dzerezinesi. Bazi reBerkeley DB 5.x harina kutarisirwa kwemakore akati wandei uye rinoramba riine kusagadzikana, uye kukwidziridzwa mushanduro nyowani hakubvumidze kuchinja rezinesi reAGPLv3, izvo zvinodiwa zvinoshandawo kuzvishandiso zvinoshandisa BerkeleyDB muchimiro cheraibhurari. - squid inoburitswa pasi peGPLv2 rezinesi uye AGPL haienderane neGPLv2.

Panzvimbo peBerkeley DB, chirongwa ichi chakaendeswa pamusoro kushandisa TrivialDB DBMS, iyo, kusiyana neBerkeley DB, yakagadziridzwa kuitira panguva imwe chete kuwana kune dhatabhesi. Berkeley DB rutsigiro inochengetwa parizvino, asi izvozvi zvinokurudzirwa kushandisa iyo "libtdb" yekuchengetedza mhando pachinzvimbo che "libdb" mune "ext_session_acl" uye "ext_time_quota_acl" madhiraivha.

Uye zvakare, rutsigiro rwakawedzerwa kune iyo HTTP CDN-Loop musoro, unotsanangurwa muRFC 8586, iyo inobvumidza kuona zvishwe kana uchishandisa zvemukati zvekutumira network (musoro unopa dziviriro pamamiriro ezvinhu umo chikumbiro, panguva yekudzosera pakati peCDNs nekuda kwechimwe chikonzero, inodzoka kune iyo yekutanga CDN, ichigadzira isingagumi chiuno).

Ukuwo, iyo SSL-Bump mashandiro, iyo inobvumira izvo zvemukati zvakavigwa zveHTTPS zvikamu kuti zvibviswe, hrutsigiro rwakawedzerwa rwekutamisa zvakare zvikumbiro zveHTTPS zvakashatiswa kuburikidza nemamwe maseva proxy yakatsanangurwa mu cache_peer uchishandisa yakajairika tunnel inoenderana nenzira yeHTTP CONNECT (kutenderera pamusoro peHTTPS hakutsigirwe sezvo squid isingakwanise kutenderera TLS mukati meTLS).

SSL-Bump inobvumira, kana chekutanga chikabatwa chikumbiro cheHTTPS chasvika, kumisikidza kubatana kweTLS ne server yekuenda uye tora chitupa chayo. Naizvozvo, Squid inoshandisa iro zita revagari rechitupa chaicho chatorwa kubva kuseva uye gadzira chitupa chenhema, iyo yainoteedzera nayo sevha yakakumbirwa kana ichitaurirana nemutengi, uchiri kuenderera mberi nekushandisa iyo TLS kubatana kwakamisikidzwa neyekuenda server kuti igamuchire data.

Izvo zvakare zvakasimbiswa kuti kuitiswa kweprotocol ICAP (Internet Content Adaptation Protocol), iyo inoshandiswa kusangana pamwe neese ekunze ongororo masisitimu, yawedzera rutsigiro rweiyo data yekubatanidza michina iyo inokutendera kuti ubatanidze mamwe metadata misoro kumhinduro, yakaiswa mushure memessage. muviri.

Panzvimbo pekufunga nezve "dns_v4_first»Kuti uone kurongeka kwekushandiswa kweiyo IPv4 kana IPv6 kero yemhuri, ikozvino iko kurongeka kwekupindura muDNS kunotorwa mukufungwa- Kana iyo AAAA mhinduro kubva kuDNS ikaonekwa pekutanga ichimirira IP kero kuti igadzirise, inoguma IPv6 kero inoshandiswa. Naizvozvo, iyo yakasarudzika kero yemhuri kumisikidza ikozvino yaitwa mu firewall, DNS, kana pakutanga ne "-disable-ipv6" sarudzo.
Shanduko yakatsanangurwa ichakurumidzisa nguva yekumisikidza TCP kubatana uye kudzikisira mashandiro ekuita kunonoka mukugadziriswa kweDNS.

Kana kuendesa zvakare zvikumbiro, iyo "Inofara Yemaziso" algorithm inoshandiswa, iyo inoshandisa ipapo yakagamuchirwa IP kero, isina kumirira kwese kunowanikwa nzvimbo IPv4 uye IPv6 kero kuti zvigadziriswe.

Kuti ushandise mu "external_acl" rairo, iyo "ext_kerberos_sid_group_acl" mutyairi akawedzerwa kuti ave nechokwadi nemapoka ekuongorora muAlex Directory uchishandisa Kerberos. Iyo ldapsearch yekushandisa inopihwa neiyo OpenLDAP package inoshandiswa kubvunza iro zita reboka.

Wakawedzera mark_client_connection uye mark_client_pack mirairo yekusunga Netfilter (CONNMARK) ma tag kune mamwe mapakeji kana mutengi TCP kubatana.

Pakupedzisira zvinonzi zvichitevera matanho eshanduro dzakaburitswa yeSquid 5.2 uye squid 4.17 kusagadzikana kwakagadziriswa:

  • CVE-2021-28116 - Ruzivo rwunodonha kana ichigadziriswa yakanyatsogadzirwa WCCPv2 mameseji. Iyo kushushikana inobvumira anorwisa kuti ashatise runyorwa rweanozivikanwa WCCP mairaira uye kuendesa zvakare traffic kubva kune proxy mutengi kuenda kune inomugamuchira. Dambudziko rinozviratidza chete mukugadzirisa pamwe neWCCPv2 rutsigiro rwakagoneswa uye pazvinokwanisika kukanganisa kero ye IP yetauta.
  • CVE-2021-41611: kukanganisa kugadzirisa zvitifiketi zveTLS zvinobvumidza kupinda uchishandisa zvitupa zvisina kuvimbika.

Chekupedzisira, kana iwe uchida kuziva zvakawanda nezvazvo, unogona kutarisa izvo zvinyorwa Mune inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako