I-squid 5.1 ifika emva kweminyaka emithathu yophuhliso kwaye ezi ziindaba zayo

Emva kweminyaka emithathu yophuhliso Kukhululwe uhlobo olutsha oluzinzileyo lwe-squid 5.1 proxy server sele ikhutshiwe elungele ukusetyenziswa kwiinkqubo zemveliso (iinguqulelo 5.0.x zazingabeta).

Emva kokwenza isebe le-5.x lizinzile, ukusukela ngoku ukuya phambili, ukulungiswa kuphela kuya kwenziwa kwimicimbi yokuba sesichengeni kunye nozinzo, kunye nokulungiswa okuncinci kuya kuvunyelwa. Ukuphuhliswa kwemisebenzi emitsha kuya kwenziwa kwisebe elitsha lovavanyo 6.0. Abasebenzisi besebe elidala le-4.x bayakhuthazwa ukuba bacwangcise ukufudukela kwisebe le-5.x.

I-squid 5.1 Eyona nto iphambili kwiimpawu ezintsha

Kule nguqulo intsha Inkxaso yefomathi yeBerkeley DB iye yehliswa ngenxa yemicimbi yelayisensi. I-Berkeley DB 5.x yesebe ayikhange ilawulwe iminyaka eliqela kwaye iyaqhubeka nokuba nokungakhethiyo, kwaye ukuphuculwa kweenguqulelo ezintsha akuvumeli ukutshintsha ilayisensi ye-AGPLv3, iimfuno zazo ezisebenza nakwizicelo ezisebenzisa iBerkeleyDB ngohlobo lwethala leencwadi. -I-squid ikhutshwa phantsi kwelayisensi ye-GPLv2 kwaye i-AGPL ayihambelani ne-GPLv2.

Endaweni yeBerkeley DB, iprojekthi yaqhutywa ukusebenzisa i-TrivialDB DBMS, yona, ngokungafaniyo neBerkeley DB, elungiselelwe ukufikelela ngaxeshanye kwindawo yogcino lwedatha. Inkxaso yeBerkeley DB igcinwe okwangoku, kodwa ngoku kuyacetyiswa ukusebenzisa uhlobo "lwe-libtdb" endaweni ye "libdb" kwi "ext_session_acl" kunye "ext_time_quota_acl" abaqhubi.

Ukongeza, inkxaso yongezwa kwi-HTTP CDN-Loop header, echazwe kwi-RFC 8586, evumela ukukhangela iiluphu xa usebenzisa uthungelwano lokuhanjiswa komxholo (i-header ibonelela ngokhuseleko kwimeko apho isicelo, ngexesha lokuphinda ususe phakathi kwe-CDN ngesizathu esithile, ukubuya kwi-CDN yoqobo, yenza iluphu engapheliyo).

Ngakolunye uhlangothi, Indlela ye-SSL-Bump, evumela umxholo weeseshoni ze-HTTPS ezifihliweyo ukuba zamkelwe, hInkxaso eyongeziweyo yokuhambisa kwakhona izicelo zeHTTPS ezichithwe kwezinye iiserver Ummeli ochazwe kwi-cache_peer esebenzisa itonela eliqhelekileyo esekwe kwindlela ye-HTTP CONNECT (ukusasaza ngaphezulu kwe-HTTPS akuxhaswanga njengoko i-squid ingekasasazi i-TLS ngaphakathi kwe-TLS).

I-SSL-Bump ivumela, xa kufika isicelo sokuqala se-HTTPS, ukuseka unxibelelwano lwe-TLS kunye neseva yokufika kunye nokufumana isatifikethi sayo. Emva koko, I-squid isebenzisa igama lenginginya yesitifiketi esifunyenweyo kwiseva kwaye wenze isatifikethi sobuxoki, elinganisa ngayo iserver eceliweyo xa unxibelelana nomthengi, ngelixa uqhubeka nokusebenzisa uqhagamshelo lwe-TLS olusekwe neseva yokufika ukuze ufumane idatha.

Kukwacacisiwe ukuba ukuphunyezwa komgaqo ICAP (IProtokholi yoLungiso loMxholo we-Intanethi), esetyenziselwa ukudityaniswa neenkqubo zangaphandle zokuqinisekisa umxholo, yongeze inkxaso yendlela yokuncamathisela idatha ekuvumela ukuba uqhoboshele izihloko zemethadatha ezongezelelweyo kwimpendulo, ebekwe emva komyalezo. umzimba.

Endaweni yokuthatha ingqalelo "dns_v4_first»Ukufumanisa ukusetyenziswa kwe-IPv4 okanye i-IPv6 yosapho kwidilesi, ngoku ukulandelwa kwempendulo kwi-DNS kuthathelwa ingqalelo-Ukuba impendulo yeAAAA evela kwi-DNS ibonakala kuqala ngelixa ulinde idilesi ye-IP ukusombulula, idilesi ye-IPv6 enesiphumo iya kusetyenziswa. Ke ngoko, useto lwedilesi olukhethiweyo lwenziwe ngoku kwi-firewall, i-DNS, okanye ekuqalisweni kukhetho "-lusable-ipv6".
Utshintsho olucetywayo luya kukhawulezisa ixesha lokumisela uqhagamshelo lwe-TCP kunye nokunciphisa ukusebenza kokulibaziseka kwisisombululo se-DNS.

Xa uhambisa kwakhona izicelo, i "algorithm eyonwabisayo" iyasetyenziswa, esebenzisa idilesi ye-IP efumanekayo, ngaphandle kokulinda zonke iidilesi ezikhoyo ze-IPv4 kunye ne-IPv6.

Ukusetyenziswa komyalelo "wangaphandle_acl", umqhubi "ext_kerberos_sid_group_acl" wongezwe ukungqinisisa namaqela okuqinisekisa kuVavanyo oluSebenzayo esebenzisa iKerberos. Isixhobo se-ldapsearch esibonelelwe yiphakheji ye-OpenLDAP sisetyenziselwa ukubuza igama leqela.

Yongezwe imark_client_connection kunye nemark_client_pack imiyalelo yokubopha i-Netfilter (CONNMARK) iithegi kwiipakethi ezizodwa okanye kudityaniso lwabaxhasi beTCP

Okokugqibela kuyakhankanywa ukuba kulandelwe amanyathelo eenguqulelo ezikhutshiweyo zeSquid 5.2 kunye neSkid 4.17 Ukuba sesichengeni kulungisiwe:

  • I-CVE-2021-28116-Ulwazi oluvuzayo xa kusenziwa imiyalezo ye-WCCPv2 eyenziwe ngokukodwa. Ukuba semngciphekweni kuvumela umhlaseli ukuba onakalise uluhlu lweendlela ezaziwayo ze-WCCP kunye nokubhekisa phambili ukugcwala kwabantu kumxhasi onegunya kuye kumbuki zindwendwe. Ingxaki ibonakala kuphela kuqwalaselo ngenkxaso ye-WCCPv2 enikwe amandla kwaye xa kunokwenzeka ukuphazamisa idilesi ye-IP yendlela.
  • I-CVE-2021-41611: impazamo yokuqinisekisa izatifikethi ze-TLS ezivumela ukufikelela kusetyenziswe izatifikethi ezingathembekanga.

Okokugqibela, ukuba ufuna ukwazi ngakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.