I-squid 5.1 ifika ngemuva kweminyaka emithathu yentuthuko futhi lezi yizinto zayo ezintsha

Darkcrizt

Imizuzu ye-4

Ngemuva kweminyaka emithathu yentuthuko ukukhishwa kwenguqulo entsha ezinzile yeseva elibambayo le-Squid 5.1 kwethulwe okulungele ukusetshenziswa ezinhlelweni zokukhiqiza (izinhlobo 5.0.x kwakungu-beta).

Ngemuva kokwenza igatsha le-5.x lizinzile, kusukela manje kuqhubeke, kuzolungiswa kuphela ubucayi nezinkinga zokuqina, nokwenza okuhle okuncane nakho kuzovunyelwa. Ukuthuthukiswa kwemisebenzi emisha kuzokwenziwa egatsheni elisha lokuhlola 6.0. Abasebenzisi begatsha elizinzile elingu-4.x bayakhuthazwa ukuthi bahlele ukufudukela egatsheni le-5.x.

I-squid 5.1 Izici Ezintsha Ezintsha

Kule nguqulo entsha Ukuxhaswa kwefomethi yeBerkeley DB kwehlisiwe ngenxa yezinkinga zokulayisense. Igatsha leBerkeley DB 5.x alizange liphathwe iminyaka eminingana futhi liyaqhubeka nokuba nobungozi obungafakwanga, futhi ukuthuthukela ezinhlotsheni ezintsha akuvumeli ukushintshwa kwelayisense ye-AGPLv3, izidingo zazo ezisebenza kuzicelo ezisebenzisa iBerkeleyDB ngendlela yomtapo wolwazi. - I-squid ikhishwa ngaphansi kwelayisense ye-GPLv2 kanti i-AGPL ayihambisani ne-GPLv2.

Esikhundleni seBerkeley DB, iphrojekthi yaqhutshelwa phambili ukusebenzisa iTrivialDB DBMS, okuthi, ngokungafani neBerkeley DB, elungiselelwe ukufinyelela ngasikhathi sinye ngokufana kusizinda semininingwane. Ukuxhaswa kweBerkeley DB kugcinwa okwamanje, kepha manje kunconywa ukusebenzisa uhlobo lwesitoreji se- "libtdb" esikhundleni se- "libdb" kuzishayeli ze- "ext_session_acl" ne "ext_time_quota_acl".

Ngaphezu kwalokho, ukungezwa kufakwa kunhlokweni ye-HTTP CDN-Loop, echazwe ku-RFC 8586, evumela ukutholwa kwamaluphu lapho usebenzisa amanethiwekhi wokulethwa kokuqukethwe (unhlokweni unikeza ukuvikeleka ezimeni lapho isicelo, ngesikhathi sokuqondiswa kabusha phakathi kwama-CDN ngasizathu simbe, kubuya ku-CDN yoqobo, kwakheka i-loop engapheli).

Ngakolunye uhlangothi, indlela ye-SSL-Bump, okuvumela okuqukethwe kwamaseshini we-HTTPS abethelwe ukuthi abanjwe, hukusekelwa okungeziwe kokuqondisa kabusha izicelo ze-HTTPS ezonakalisiwe ngamanye amaseva ummeleli obalulwe ku-cache_peer esebenzisa umhubhe ojwayelekile osuselwa kundlela ye-HTTP CONNECT (ukusakazwa nge-HTTPS akusekelwa njengoba i-squid ingakakwazi ukusakaza i-TLS ngaphakathi kwe-TLS).

I-SSL-Bump ivumela, lapho kufika isicelo sokuqala se-HTTPS esinqunyelwe, ukusungula ukuxhumana kwe-TLS neseva ekhonjiwe bese uthola isitifiketi sayo. Kamuva, I-squid isebenzisa igama lomethuleli lesitifiketi sangempela esitholiwe kusuka kuseva bese wenza isitifiketi somgunyathi, elingisa ngayo iseva eceliwe lapho ixhumana neklayenti, ngenkathi uqhubeka nokusebenzisa ukuxhumana kwe-TLS okusungulwe neseva yendawo okuyiwa kuyo ukuthola idatha.

Kubuye kwagqanyiswa ukuthi ukwenziwa komthetho olandelwayo ICAP (Internet Content Adaptation Protocol), esetshenziselwa ukuhlanganiswa nezinhlelo zangaphandle zokuqinisekisa okuqukethwe, ingeze ukusekelwa kwendlela yokunamathisela idatha okukuvumela ukuthi unamathisele izihloko zemethadatha ezingeziwe empendulweni, ebekwe ngemuva komyalezo. umzimba.

Esikhundleni sokubheka i- "dns_v4_first»Ukunquma ukuhleleka kokusetshenziswa komndeni wamakheli we-IPv4 noma we-IPv6, manje ukulandelwa kwempendulo ku-DNS kuyabhekwa- Uma impendulo ye-AAAA evela ku-DNS ivela kuqala ngenkathi ilinde ikheli le-IP ukuxazulula, kuzosetshenziswa ikheli le-IPv6 eliphumela. Ngakho-ke, isilungiselelo somndeni sekheli esithandwa manje sesenziwe ku-firewall, i-DNS, noma ekuqaleni ngenketho ye- "–disable-ipv6".
Ushintsho oluhlongozwayo luzosheshisa isikhathi sokulungiselela ukuxhumana kwe-TCP futhi lwehlise umthelela wokusebenza kokubambezeleka kokulungiswa kwe-DNS.

Lapho uqondisa kabusha izicelo, kusetshenziswa i-algorithm ye- "Happy Eyeballs", esebenzisa ngokushesha ikheli le-IP elitholakele, ngaphandle kokulinda ukuthi kuxazululwe wonke amakheli we-IPv4 ne-IPv6 angaba khona.

Ukusetshenziswa esiqondisweni se- "external_acl", umshayeli we- "ext_kerberos_sid_group_acl" wengezelwe ukufakazelwa ubuqiniso ngamaqembu wokuqinisekisa ku-Active Directory esebenzisa i-Kerberos. Insiza ye-ldapsearch enikezwe iphakethe le-OpenLDAP isetshenziselwa ukubuza igama leqembu.

Kungezwe imiyalo ye-mark_client_connection ne-mark_client_pack yokubopha amathegi we-Netfilter (CONNMARK) kumaphakethe ngamanye noma ekuxhumaneni kweklayenti le-TCP

Ekugcineni kushiwo ukuthi ukulandela izinyathelo zezinguqulo ezikhishiwe ze-Squid 5.2 ne-Squid 4.17 Ukuba sengozini kulungisiwe:

  • I-CVE-2021-28116 - Ulwazi luvuza lapho kucutshungulwa imilayezo eyenziwe ngobuciko ye-WCCPv2. Ukuba sengozini kuvumela umhlaseli ukuthi onakalise uhlu lwama-routers e-WCCP aziwayo futhi aqondise kabusha ithrafikhi kusuka kuklayenti elibamba iye kumgcini walo. Inkinga iziveza kuphela ekucushweni nge-WCCPv2 ukwesekwa okunikwe amandla nalapho kungenzeka khona ukonakalisa ikheli le-IP lomzila.
  • I-CVE-2021-41611: iphutha lokuqinisekisa izitifiketi ze-TLS ezivumela ukufinyelela kusetshenziswa izitifiketi ezingathembekile.

Ekugcineni, uma ufuna ukwazi kabanzi ngayo, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.