Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
4 contributors

Users who have contributed to this file

@yadij @squidadm @rousskov @rbtcollins
6502 lines (5909 sloc) 301 KB
Changes to squid-4.9 (05 Nov 2019):
- Bug 4978: eCAP crash after using MyHost().newRequest()
- Bug 4970: excessive gnutls_certificate_credentials debug msgs
- Bug 4969: GCC-9 build failure: stringop-truncation
- Bug 4966: Lower cache_peer hostname
- Bug 4918: Crashes when using OpenSSL prior to v1.0.2
- TLS: Fix parsing of certificate validator responses
- TLS: Fix parsing of TLS messages that span multiple records
- TLS: Fix on_unsupported_protocol tunnel action
- TLS: Fix expiration of self-signed generated certs to be 3 years
- HTTP: Ignore malformed Host header in intercept and reverse proxy mode
- HTTP: RFC 7230: server MUST reject messages with BWS after field-name
- HTTP: Fix URN response handling
- HTTP: Hash Digest noncedata
- Update URI parser to use SBuf parsing APIs
- Prevent truncation for large origin-relative domains
- Fix several rock cache_dir corruption issues
- Debug detail validation errors for loaded-from-file certificate chains
- smblib: Improve SMB server name maintenance
- cachemgr.cgi: Add validation for hostname parameter
- ... and several compile issues
- ... and some documentation updates
Changes to squid-4.8 (09 Jul 2019):
- Bug 4957: Multiple XSS issues in cachemgr.cgi
- Bug 4953: to_localhost does not include ::
- Bug 4937: cachemgr.cgi: unallocated memory access
- Bug 4936: terminating c-strings beyond BASE64_DECODE_LENGTH
- Bug 4889: Ignore ECONNABORTED in accept(2)
- Bug 4842: Memory leak when http_reply_access uses external_acl
- TLS: Fix tls-min-version= being ignored
- TLS: Add the NO_TLSv1_3 option to available tls-options values
- HTTP: RFC 7230 forbids generation of userinfo subcomponent of https URL
- HTTP: Remove userinfo support from old protocols
- HTTP: Fix Digest auth parameter parsing
- HTTP: Send Connection:close with the known-last request on a connection
- HTTP: Fix handling of tiny invalid responses
- Replace uudecode with libnettle base64 decoder
- Update HttpHeader::getAuth to SBuf
- ... and some compile issues
Changes to squid-4.7 (06 May 2019):
- Bug 4942: --with-filedescriptors does not do anything
- Bug 4928: Cannot convert non-IPv4 to IPv4
- Bug 4823: assertion failed: "lowestOffset () <= target_offset"
- Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs
- Fix squidclient authentication to origin servers
- Fix stack-based buffer-overflow when parsing SNMP messages
- Add support for buffer-size= to UDP logging
- TLS: When using OpenSSL, trust intermediate CAs from trusted store
Changes to squid-4.6 (19 Feb 2019):
- Bug 4915: Detect IPv6 loopback binding errors
- Bug 4914: Do not call setsid() in --foreground mode
- Bug 4875 pt2: GCC-8 compile errors with -O3 optimization
- Bug 4856: Exit when GoIntoBackground() fork() call fails
- basic_ldap_auth: Return BH on internal errors; polished messages
- Fix BodyPipe/Sink memory leaks associated with auto-consumption
- Fix OpenSSL builds that define OPENSSL_NO_ENGINE
- Fix several cases of rock cache corruption
- Add Georgian (ka) language translation
Changes to squid-4.5 (01 Jan 2019):
- Bug 4253: ssl_bump prevents access to some web contents
- TLS: add %>handshake logformat code
- Redesign forward_max_tries to count TCP connection attempts
- Fix client_connection_mark ACL handling of clientless transactions
- Fix netdb exchange with a TLS cache_peer
- Update netdb when tunneling requests
- Use pkg-config for detecting libxml2
- ... and some documentation updates
- ... and some code compile fixes
Changes to squid-4.4 (28 Oct 2018):
- Bug 4893: Malformed %>ru URIs for CONNECT requests
- Fix %USER_CA_CERT_xx and %USER_CERT_xx crashes
- SSL: support compilation with minimal OpenSSL
- SSL: certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL
- Fix netdb not saving to disk
- Fix memory leak when parsing SNMP packet
- ... and some compile issues
Changes to squid-4.3 (01 Oct 2018):
- Bug 4885: Excessive memory usage when running out of descriptors
- Bug 4877: Add missing text about external_acl_type %DATA changes
- Bug 4875 pt1: GCC-8 compile errors with -O3 optimization
- Bug 4716: Blank lines in cachemgr.conf are not skipped
- Bug 4691: balance_on_multiple_ip config option docs
- basic_pop3_auth: fix startup errors
- langpack: Add missing dialect aliases
- Fix range_offset_limit debugging
- Fix icc build errors
- Update systemd dependencies in squid.service
Changes to squid-4.2 (04 Aug 2018):
- Regression fix: support for https_port clientca= option
- Regression Bug 4870: milliseconds logformats prepend 0s instead of spaces
- Bug 4861: HTTPMSGLOCK missing pointer safety
- Bug 4843 pt3: GCC-8 fixes and refactoring
- HTTP: Do not update stored headers on 304 responses
- Fix segmentation fault on -k parse
- Fix %>ru logging of huge URLs
- ... and several performance optimizations
- ... and some documentation updates
- ... and all fixes from 3.5.28
Changes to squid-4.1 (02 Jul 2018):
- Bug 4223: fixed retries of failed re-forwardable transactions
- Bug 4791: Build failure on MacOS
- Fix --with-netfilter-conntrack error message
- ... and many documentation updates
Changes to squid-4.0.25 (11 Jun 2018):
- Regression Bug 4855: querying private entries for HTCP/ICP
- Regression Bug 4852: deny_info %R macro not being expanded
- Regression Bug 4847: proxy_auth ACL -i/+i flags not working
- Regression Bug 4831: filter chain certificates for validity when loading
- Regression fix: Transient reader locking broken in 4.0.24
- Bug 4845: NegotiateSsl crash on aborting transaction
- Bug 4843 pt1: ext_edirectory_userip_acl refactoring for GCC-8
- Bug 4843 pt2: squidclient refactoring for GCC-8
- Bug 4829: IPC shared memory leaks when disker queue overflows
- Bug 4828: Use feature detection for IPFilter API/ABI checks
- Bug 4816: update negotiate_kerberos_auth helper protocol to v3.4
- Bug 4811: supply AccessLogEntry (ALE) for more fast ACL checks
- Bug 4707: purge tool does not obey --sysconfdir= build option
- Bug 4171: checking for log_file_daemon despite disabling logging
- Bug 4042: ext_kerberos_ldap_group: add -P principal option
- TLS: avoid "ssl_crtd" assertions on reconfiguration
- Add timestamps to (most) FATAL messages
- Add "--kid role-ID" command line option
- ... and many documentation updates
Changes to squid-4.0.24 (07 Mar 2018):
- Bug 4822: Build failure (-Wformat) where time_t is not long int
- Bug 4505: SMP caches sometimes do not purge entries
- TLS: GnuTLS implementation for listening ports and client connections
- TPROXY: Fix clientside_mark and client port logging
- Native FTP: Fix "Cannot assign requested address" with TPROXY
- SSL-Bump: Fix authentication with types other than Basic
- ... and many small compile and stability fixes
- ... and some documentation fixes
Changes to squid-4.0.23 (19 Jan 2018):
- Bug 4715: security_file_certgen: Remove -g and -n options docs
- Bug 4679: User names not sent to url_rewrite_program
- Bug 4631: security_file_certgen helper without disk cache
- Bug 3911: clang -fsanitize warnings
- Bug 2378: Duplicates in selected peer destinations
- Nettle v3.4 support
- Fix Squid FTP server dying because of an unhandled exception
- Automatically revive hopeless kids on reconfigure and after a timeout
- Fix %<Hs, %<pt, %<tt, %<bs calculation bugs for error responses
- ... and many documentation updates
- ... and some stability fixes
Changes to squid-4.0.22 (07 Dec 2017):
- Regression fix: Relay peer CONNECT error status line and headers to clients
- Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
- Bug 4718: support filling raw buffer space of shared SBufs
- Bug 4648: object revalidation for HTTPS scheme
- Bug 4616: store_client.cc:92: "mem" assertion
- Bug 2821: ignore Content-Range in non-206 responses
- HTCP: Ignore packets with invalid URI
- TLS: Validate the shortest certificate chain
- TLS: Add checks for OpenSSL 1.1.0f API changes
- TLS: Fix reporting of validation errors for downloaded intermediate certs
- TLS: Fix SSL certificate cache refresh and collision handling
- Fix backwards compatibility for Squid-3.5 external_acl_type formats
- Fix invalid mime icon URLs in cache
- Do not die silently when dying early
- Docs: update translation files
Changes to squid-4.0.21 (02 Jul 2017):
- Bug 4730: segfault while processing internal HTTP requests
- Bug 4492: Chunk extension parser is too pedantic
- Bug 1961: Redesign urlParse() API
- TLS: recognise tls:: namespace on logformat tokens
- SSL-Bump: tproxy does not spoof spliced connections
- security_file_certgen: collapse queued requests
- Add a basic apparmour profile
- Add transaction_initiator ACL for detecting various unusual transactions
- Add ssl::server_name options to control matching logic
- Support for --long-acl-options
- Do not die silently when dying via std::terminate()
- Fix option --foreground to implement expected behavior
- Translations: update .po and .pot to latest texts
- ... and some documentation updates
- ... and many code cleanup and stability fixes
- ... and all fixes from 3.5.27
Changes to squid-4.0.20 (01 Jun 2017):
- Bug 4692: SslBump breaks intercepted IPv6 connections
- Bug 4682: ignoring http_access deny when client-first bumping mode is used
- Bug 4662: build errors with LibreSSL 2.4.4
- Bug 4659: sslproxy_foreign_intermediate_certs does not work
- Bug 4321: ssl_bump terminate does not terminate at step1
- Add 'has' ACL
- Do not forward HTTP requests to dead idle peers
- Do not unconditionally revive dead peers after a DNS refresh
- Make PID file check/creation atomic to avoid associated race conditions
- Count failures and use peer-specific connect timeouts when tunneling
- SSL-Bump: Fix crashes when server-first bumping mode is used with openSSL-1.1.0
- eCAP: Fix empty header handling in Ecap::HeaderRep::hasAny()
- SSL-Bump: Second adaptation missing for CONNECTs
- ext_session_acl: cope with new logformat inputs
- ... and some documentation updates
- ... and some code stability fixes
- ... and all fixes from 3.5.26
Changes to squid-4.0.19 (02 Apr 2017):
- Bug 4674: delay_parameters for class 3 and 4 assertion failed
- Bug 4671: GCC 7 compile errors
- Bug 4663: GCC 5+ compile errors with optimization level -O3
- Bug 4657: delay IDENT until after PROXY protocol handling
- Bug 4610: cleanup of BerkleyDB related checks
- squidclient: Fix missing error handling on PUT
- digest_ldap_auth: Add -r option to clamp the realm to a fixed value
- TLS: initial GnuTLS support for encrypted server connections
- Fix appending Http::HdrType::VIA code
- Fix URI scheme case-sensitivity treatment
- Fix two read-ahead problems related to delay pools (or lack thereof)
- Detail swapfile header inconsistencies
- ... and several build fixes
- ... and many code polishing updates
- ... and all fixes from 3.5.25
Changes to squid-4.0.18 (06 Feb 2017):
- Bug 4661: compile error 'warning: _XPG4_2 redefined' with GCC on Solaris 10
- Bug 4636: assertion 'byteCount > 0 && byteCount <= inBuf.length()'
- Bug 4610 partial: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4599: support OpenSSL 1.1
- squidclient: link GnuTLS library debugs to -v level display
- Fix GCC6: unused local variable 'weInitiatedThisClosure'
- ... and some code polishing
- ... and some copyright updates
- ... and all fixes from 3.5.24
Changes to squid-4.0.17 (16 Dec 2016):
- Bug 4630: user credentials cache cleanup not re-scheduled
- Bug 4610 partial: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4599 partial: initial support for OpenSSL v1.1
- TLS: Support tunneling of bumped non-HTTP traffic
- ... and many code polishing and performance updates
- ... and some documentation updates
- ... and some fixes from 3.5.23
Changes to squid-4.0.16 (30 Oct 2016):
- Avoid segfaults when lacking the server name for certificate validator
- HTTP: initial support for Cache-Control:immutable
- Fix ssl::server_name ACL
- ... and many code polishing updates
- ... and some fixes from 3.5.23
Changes to squid-4.0.15 (09 Oct 2016):
- Regression fix crash on reconfigure with TOS/DiffServ/MARK configured
- Bug 4610: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4581: Secure ICAP segfault in checkForMissingCertificates
- Bug 4578: changes required to install squid.service
- Fix crash on shutdown while cleaning up idle ICAP connections
- Fix memory leak of Downloader-related objects
- HTTP/1.1: handle syntactically valid requests with unsupported HTTP versions
- Log TCP client port for error:transaction-end-before-headers and such
- ... and many portability and build fixes
- ... and some documentation updates
- ... and all fixes from 3.5.22
Changes to squid-4.0.14 (08 Sep 2016):
- Regression Bug 4570: crash after rev.14755
- Regression Bug 4561: Replace use of default move operators with explicit implementation
- Bug 4503: Do not access-log SslBump-faked CONNECTs with _ABORTED suffixes
- Bug 4404: Do not access-log chunked non-persistent responses with _ABORTED suffix
- Fix crashes on shutdown while cleaning up idle ICAP connections
- Fix logformat unable to configure codes with /-escape
- HTTP: MUST respond with 414 (URI Too Long) when request-target exceeds limits
- HTTP: validate Content-Length header values
- Make Squid death due to overloaded helpers optional
- Better support for unknown URL schemes
- Do not log error:transaction-end-before-headers after invalid requests
- ... and many portability and build fixes
- ... and some documentation updates
- ... and all fixes from 3.5.21
Changes to squid-4.0.13 (05 Aug 2016):
- Regression Bug 4540: revert r14720 buffer update
- Bug 4555: Minor improvements to error pages CSS
- Bug 4551: fix exceptions in new chunked decoder
- Bug 4311: support collapse for internal revalidation requests (SMP-unaware caches)
- Fix Certificate Validator buffer-overflow crashes Squid
- Fix some failed transactions not being logged
- Fix segfault via Ftp::Client::readControlReply().
- basic_db_auth: add support for unsalted SHA1 passwords
- kerberos_ldap_group: add support for SSL/TLS connection to an LDAP server
- TLS: Add missing 'tls' option for cache_peer
- TLS: Do not hang when 'connector' fails
- TLS: Add support for fetching missing certificates
- Remove XSTD_USE_LIBLTDL, which has not been needed in a long while
- ... and many code polishing updates
- ... and some documentation updates
Changes to squid-4.0.12 (01 Jul 2016):
- Regression Fix: shell issues with require_smblib definition
- Regression Bug 4532: pid_filename not working as documented
- Regression Bug 4504: Too many WARNING: Ignoring error setting CA certificate locations
- Bug 4516: security_file_certgen man page update
- Bug 4446: undefined reference to 'libecap::Name::Name'
- Bug 4376: clang cannot build Squid eCAP code
- HTTP/1.1: Update all stored headers on 304 revalidation
- TLS: Authority Key Identifier certificate extension
- Add a script to find kid-specific cache.log lines
- Cleanup cppunit detection and use
- ... and several performance improvements
- ... and some unit test updates
- ... and all fixes from 3.5.20
Changes to squid-4.0.11 (09 Jun 2016):
- Bug 4517: error: comparison between signed and unsigned integer
- Bug 4492: chunked parser needs to accept BWS after chunk size
- HTTP/1.1: allow chunking the last HTTP response on a connection
- HTTP/1.1: unfold mime header blocks
- TLS: fast SNI peek
- TLS: check for SSL_CIPHER_get_id() support required in adjustSSL()
- TLS: never enable OPENSSL_HELLO_OVERWRITE_HACK automatically
- squidclient: improve shell-escape support in -H option
- Do not allow low-level debugging to hide important/critical messages
- Replace new/delete operators using modern C++ rules
- Remove ie_refresh configuration option
- Deprecating SMB LanMan helpers
- Mark refresh-waiting transactions with REFRESH
- ... and some code cleanup and polishing
Changes to squid-4.0.10 (06 May 2016):
- Accumulate fewer unknown-size responses to avoid overwhelming disks.
- Fix shared memory corruption when storing multi-slot (>32KB) shm misses.
- ... and some documentation and code cleanup
- ... and all fixes from 3.5.18
Changes to squid-4.0.9 (20 Apr 2016):
- Bug 4405: assertion failed: comm.cc:554: "Comm::IsConnOpen(conn)"
- Add a new error page token for unquoted external ACL messages.
- Stop parsing response prefix after discovering an "HTTP/0.9" response.
- ... and some documentation updates
- ... and some code polishing
- ... and all fixes from 3.5.17
Changes to squid-4.0.8 (02 Apr 2016):
- Bug 4459: FHS compliance: move netdb.state and ssl_db to /var/cache/squid
- Bug 4458: Behaviour change with external ACL arguments
- Bug 4450: wait() related cleanup
- Bug 4438: SIGSEGV in memFreeString() destructing SBuf globals on shutdown/restart
- Bug 4312: Support disabling collapsed forwarding SMP cooperation
- Bug 3826: SMP compatibility with systemd and --foreground option
- Bug 1979: Add ACL-driven server_pconn_for_nonretriable squid.conf directive
- Bug 7 (partial): Update cached entries on 304 responses
- Add reply_header_add directive
- HTTP/1.1: Do not prohibit updating Last-Modified on 304 responses
- Fix memory leaks of lastAclData and AccessLogentry::url
- Fix clang -Winconsistent-missing-override warning
- Tests: update test suite for GnuTLS
- ... and some documentation updates
- ... and some code cleanup and polishing
- ... and all fixes from squid 3.5.16
Changes to squid-4.0.7 (23 Feb 2016):
- Regression Fix: external_acl parameters separated by %20 instead of space
- Bug 4432: assertion failed: store.cc:1919: "isEmpty()"
- Bug 4111: leave_suid() does not properly handle error codes returned by setuid
- Fix propagation of response status line parsing error details
- Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
- ... and some code SourceLayout project cleaning
- ... and all fixes from squid 3.5.15
Changes to squid-4.0.6 (16 Feb 2016):
- Regression Bug 4436: Fix DEFAULT_SSL_CRTD
- Fix "dial: Ssl::PeerConnector::sslCrtvdHandleReply threw exception: callback != NULL"
- ... and some documentation updates
- ... and all fixes from squid 3.5.14
Changes to squid-4.0.5 (09 Feb 2016):
- Regression Bug 4429: http(s)_port options= error message missing characters
- Regression Bug 4410: 4.0.4 compile error in basic_ncsa_auth
- Regression Bug 4403: helper compile errors after 4.0.4 rev.14454
- Regression Bug 4401: compile error on Solaris
- Regression Fix: TLS/SSL flags parsing
- Regression Fix: cert validadator always disabled in 4.x
- Regression Fix: Name-only note ACL stopped matching after 4.0.4 rev.14465 (note -m)
- Regression Fix: external_acl problems after 4.0.1 rev.14351
- Bug 4409 (partial): compile error when two Heimdal libraries are installed
- Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size
- SMP: Fix cleanup of a shared memory segment in an unusual configuration
- SSL-Bump: Fix step3 splicing.
- Add connections_encrypted ACL
- Make %<a and %<p details available to [eCAP] RESPMOD services
- Rename cert_valid.pl to security_fake_certverify
- Rename ssl_crtd helper to security_file_certgen
- ... and a lot of code SourceLayout project cleaning
- ... and some documentation updates
- ... and all fixes from squid 3.5.13 up to rev.13979
Changes to squid-4.0.4 (06 Jan 2016):
- Regression Bug 4393: compile fails on OS X
- Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or tunnelClientClosed
- Support use of Kerberos credentials cache instead of keytab
- Support logging of TLS Cryptography Parameters
- Support substring matching in Note ACL
- ... and some code cleanup and polishing
- ... and all fixes from squid 3.5.13
Changes to squid-4.0.3 (28 Nov 2015):
- Bug 4372: missing template files
- Bug 4371: compile errors: no such file or directory: DiskIO/*/*DiskIOModule.o
- Bug 4368: A simpler and more robust HTTP request line parser
- Fix compile erorr on clang undefined reference to '__atomic_load_8'
- ext_kerberos_ldap_group_acl: Add missing workarounds for Heimdal Kerberos
- ext_ldap_group_acl: Allow unlimited LDAP search filter
- ext_unix_group_acl: Support -r parameter to strip @REALM from usernames
- ... and much code cleanup and polishing
- ... and all fixes from squid 3.5.12
Changes to squid-4.0.2 (01 Nov 2015):
- Regression Bug 4351: compile errors when authentication modules disabled
- Regression fix: HTTP/1.1 Transfer-Encoding:chunked parsing
- Bug 4359: assertion failure 'Comm::IsConnOpen(conn)' within ConnStateData::requestTimeout
- Bug 4356: segmentation fault using proxy_auth ACL
- Bug 4352: compile errors in OS X 10.11
- Bug 4021: ext_user_regex does exact match
- Bug 3574: avoid crashes, prohibit reconfiguration during shutdown
- Support re-assigning delay pools based on HTTP reply details
- ... and all fixes from squid 3.5.11
Changes to squid-4.0.1 (14 Oct 2015):
- Bug 4329: GCC 5.2 no known conversion for argument
- Bug 4292: negotiate_wrapper: Unreleased Resources
- Bug 4269: ignore-must-revalidate broken
- Bug 4190: assertion 'hash_remove_link' from Auth::User::cacheCleanup
- Bug 3920: Splay::remove() reference counting inconsistent
- Bug 3069: CONNECT method bytes sent logging
- Bug 2741 partial: libsecurity API for GnuTLS support
- Bug 1961 partial: redesign of URL handling
- Fix crash when parsing invalid squid.conf
- Fix eCAP: Return 'unknown body size' for bodies with unknown body sizes
- Remove unused OS detection: Sun, SysV, Ultrix, BSDi
- Remove cache_peer_domain directive
- RFC 6176 compliance: Remove SSLv2 support
- HTTP/1.1: Remove refresh_pattern ignore-auth and ignore-must-revalidate
- Remove GCC 2.x and 3.x detection and support
- C++11 compiler support is now mandatory
- Enable flexible transport protocol
- Enable long (--foo) command line parameters on squid binary
- Add per-rule refresh_pattern matching statistics
- Replace sslversion=N with tls-min-version=1.N
- Replace sslproxy_* directives with tls_outgoing_options
- Replace GNU atomics and related hacks with C++11 std::atomic
- Replace external_acl_type format %macros with logformat codes
- Support Secure ICAP services
- Support rotate=N option on access_log
- Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol)
- Support lifetime timeout for persistent connections (pconn_lifetime)
- Support timeout for URL-rewrite helper lookups (url_rewrite_timeout)
- Support logging fast things (nanosecond log resolution)
- Support ICAP/eCAP adaptation for 100-continue responses
- Support configurable helper queue size, with consistent defaults
and better overflow handling.
- Support named service PID file by default (pid_filename)
- url_lfs_rewrite: Add URL-rewriter based on local file existence
- negotiate_kerberos_auth: output group= kv-pair
- helper-mux: add man(8) page
- purge: convert README to man(1) page
- basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth
- basic_sspi_auth: fix MinGW compile errors
- negotiate_sspi_auth: fix various build errors
- Crypto-NG: libnettle Base64 algorithm support
- Parser-NG: HTTP Parser structural redesign
- libltdl: copyright updated to LGPL version 2.1
- ... and several performance optimizations
- ... and many documentation changes
- ... and much code cleanup and polishing
Changes to squid-3.5.28 (15 Jul 2018):
- SQUID-2018:1: crash processing SSL-Bumped traffic containing ESI
- SQUID-2018:2: crash handling responses to internally generated requests
- SQUID-2018:3 / CVE-2018-1172: crash in ESI Response processing
- Bug 4861: HTTPMSGLOCK missing pointer safety
- Bug 4829: IPC shared memory leaks when disker queue overflows
- Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
- Bug 2821: Ignore Content-Range in non-206 responses
- HTCP: Ignore HTCP packets with invalid URI
- SSL-Bump: fix authentication with schemes other than Basic
- TPROXY: Fix clientside_mark and client port logging
- Fix "Cannot assign requested address" for to-origin TPROXY FTP data
- Fix --with-netfilter-conntrack error message
- Validate mime icon URL before allocating store entries
- ... and many documentation changes
Changes to squid-3.5.27 (20 Aug 2017):
- Regression Bug #4112: ssl_engine does not accept cryptodev
- Bug 4687: Wrong names of components in man page, section SEE ALSO
- Bug 4671: various GCC 7 compile errors
- Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions
- Bug 2833: Collapse internal revalidation requests (SMP-unaware caches)
- Bug 2833: Do not respond with HTTP/304 to unconditional requests
- Fix message packing error handling in mgr and snmp SMP Forwarders
- Fix mgr query handoff from the original recipient to Coordinator.
- ... and some documentation updates
Changes to squid-3.5.26 (01 Jun 2017):
- Bug 4711: SubjectAlternativeNames is missing in some generated certificates
- Bug 4695: squidpurge: GCC 7 build errors
- Bug 4682: ignoring http_access deny when client-first bumping mode is used
- Bug 4682: Fix ssl_bump "bump" action documentation
- Bug 4653: %st lies about tunneled traffic volumes
- Bug 4589: ssl_crtd: returning zero on failure
- Bug 3772: message from FTP server gets mangled
- Bug 3102: FTP directory listing drops fist character of file names
- Add OpenSSL library details to -v output
- ... and some documentation updates
Changes to squid-3.5.25 (02 Apr 2017):
- Bug 4688: various typo error(s) in man page(s)
- Bug 4508: Host forgery stalls intercepted being-spliced connections
- Native FTP relay: NAT and TPROXY interception fixes
- Fix missing CRLF on FTP timeout ABORT commands
- TLS: Bump client on errors encountered before ssl_bump evaluation
- ext_kerberos_ldap_group_acl: fix unused value warnings
- Fix crash when configuring with invalid delay_parameters restore value.
- Check that -k argument is provided before trying to use it.
- ... and some build fixes
Changes to squid-3.5.24 (28 Jan 2017):
- Regression Bug 3940: Make 'cache deny' do what is documented
- TLS: Fix SSLv2 records bumping despite a matching step2 peek rule
- TLS: Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation
- Fix "Source and destination overlap in memcpy" Valgrind errors
- Reduce crashes due to unexpected ClientHttpRequest termination
- Update External ACL helpers error handling and caching
- Detect HTTP header ACL issues
- ... and some documentation fixes
Changes to squid-3.5.23 (16 Dec 2016):
- Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
- Bug 4620: NetBSD build error with --enable-ipf-transparent
- Bug 4567: Strange IPv6 shown in access.log
- Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconfigure and restart
- Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion.
- Bug 4169: HIT marked as MISS when If-None-Match does not match
- Bug 4007: Hang on DNS query with dead-end CNAME
- Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
- Bug 3940 partial: hostHeaderVerify failures MISS when they should be HIT
- Bug 3533: Cache still valid after HTTP/1.1 303 See Other
- Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
- Bug 3290: authenticate_ttl not working for digest authentication
- Bug 2258: bypassing cache but not destroying cache entry
- HTTP/1.1: make Vary:* objects cacheable
- HTTP/1.1: Add registered codes entry for new 103 (Early Hints) status code
- Support IPv6 NAT with PF for NetBSD and FreeBSD
- TLS: Make key= before cert= an error instead of quietly hiding the issue
- ... and some debug updates
- ... and some build fixes
- ... and several documentation updates
Changes to squid-3.5.22 (09 Oct 2016):
- Bug 4594: build failure with clang 3.9
- Bug 4471: revalidation does not work when expired cached object lacks Last-Modified
- Bug 4302 pt2: IPv6 support for IPFilter v5 transparent interception
- Bug 4228: ./configure bug/typo in r14394
- Bug 3819: "fd >= 0" assertion in file_write() during reconfiguration
- Bug 2833: Collapse internal revalidation requests (SMP-unaware caches)
- Fix logged request size (%http::>st) and other size-related %codes
- Fix some memory leaks from putenv()
- Fix memory leaks from url_rewrite_extras and store_id_extras on reconfigure/shutdown
- Fix segfault crash when debugging section 4 at level 9
- HTTP: MUST ignore a [revalidation] response with an older Date header
Changes to squid-3.5.21 (08 Sep 2016):
- Bug 4563: duplicate code in httpMakeVaryMark
- Bug 4542: authentication credentials IP TTL updated incorrectly
- Bug 4534: assertion failure in xcalloc when using many cache_dir
- Bug 4428: mal-formed Cache-Control:stale-if-error header
- Bug 3025: Proxy-Authenticate problem using ICAP server
- Fix segfault via Ftp::Client::readControlReply()
- Fix SSL-Bump failure results in SEGFAULT
- HTTP/1.1: MUST always revalidate Cache-Control:no-cache responses
- HTTP/1.1: do not allow Proxy-Connection to override Connection header
- SSL: CN wildcard must only match a single domain component [fragment]
Changes to squid-3.5.20 (01 Jul 2016):
- Bug 4523: smblib compile fails on NetBSD
- Bug 4485: off-by-one out-of-bounds Parser::Tokenizer::int64() read errors
- Bug 3579: assertion failed 'MemPools[type]' from dst_as ACL
- Fix icons loading speed
- Fix OpenSSL detection on FreeBSD
- Fix assertion failed: Write.cc:38: 'fd_table[conn->fd].flags.open'
- Fix SEGFAULT parsing malformed adaptation service configuration
- Fix ConnStateData::In::maybeMakeSpaceAvailable() logic
- Do not override user defined -std option
- Do not allow low-level debugging to hide important/critical messages
- Do not make bogus recvmsg(2) calls when closing UDS sockets
- Support unified EUI format code in external_acl_type
Changes to squid-3.5.19 (09 May 2016):
- Regression Bug 4515: interception proxy hangs
Changes to squid-3.5.18 (06 May 2016):
- Bug 4510: stale comment about 32KB limit on shared memory cache entries
- Bug 4509: EUI compile error on NetBSD
- Bug 4501: HTTP/1.1: normalize Host header
- Bug 4498: URL-unescape the login-info after extraction from URI
- Bug 4455: SegFault from ESIInclude::Start
- Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
- Fix TLS/SSL server handshake alert handling
Changes to squid-3.5.17 (20 Apr 2016):
- Regression Bug 4480: logformat [.width_max]
- Regression Bug 4481: varyEvaluateMatch: Oops. Not a Vary match on second attempt
- Bug 4495: Unknown SSL option SSL_OP_NO_TICKET
- Bug 4493: theObject->sharedMemorySize() == theSegment.size() exception
- Bug 4483: ./configure garbles -Og option in CFLAGS
- Bug 4482: Solaris GCC 5.2 warning in src/ip/Intercept.cc
- Bug 4468: NotNode (!acl) naming: Terminate the name before strncat(name).
- Bug 4465: Header forgery detection leads to crash
- Bug 2460 partial: workaround deferred reads on shutdown and restart
- cachemgr.cgi: use dynamic MemBuf for internal content generation
- ESI: Fix several element construction issues
- TLS: Fix Handshake Error: ccs received early
- TLS: Add chained and signing cert to peek-then-bumped connections
- Fix some startup/shutdown crashes
Changes to squid-3.5.16 (02 Apr 2016):
- Bug 4476: Removed duplicated #include lines
- Bug 4452: squid -z segfaults with ufs
- Bug 4447:FwdState.cc:447 "serverConnection() == conn" assertion
- Bug 4423: adding stdio: prefix to cache_log directive produces FATAL error
- Bug 4409: compile error when two Heimdal libraries are installed
- Bug 2831: Cache-control: max-age not sent on TCP_IMS_HIT/304
- pinger: Fix buffer overflow in Icmp6::Recv
- pinger: Fix select(2) to actually use max_fd
- pinger: drop capabilities on Linux
- Fix memory leak of HttpRequest objects
- Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
- Fix assertion failed: Write.cc:41: "!ccb->active()"
- Fix crash on shutdown while cleaning up idle ICAP connections
- RFC 7725: Add registry entry for 451 status text
- ... and some build issues
Changes to squid-3.5.15 (23 Feb 2016):
- Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
- Fix multiple assertion on String overflows
- Fix unit test errors on MacOS
- Better handling of huge response headers. Fewer incorrect "Bug #3279" messages.
- Log noise reduction for eCAP
Changes to squid-3.5.14 (16 Feb 2016):
- Bug 4437: Fix Segfault on Certain SSL Handshake Errors
- Bug 4431: C code is not compiled with CFLAGS
- Bug 4418: FlexibleArray compile error with GCC 6
- Bug 4378: assertion failed: DestinationIp.cc:60:
'checklist->conn() && checklist->conn()->clientConnection != NULL'
- Fix invalid FTP connection handling on blocked content
- Fix handling of shared memory left over by Squid crashes or bugs
- Fix mgr:config report 'qos_flows mark' output
- Fix compile error in CPU affinity
- Fix %un logging external ACL username
- Avoid more certificate validation memory leaks
- ... and some documentation updates
Changes to squid-3.5.13 (06 Jan 2016):
- Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath
- Bug 4387: Kerberos build errors on Solaris
- TLS: Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
- TLS: Complete certificate chains using external intermediate certificates
- Avoid memory leaks when an X.509 certificate validator is used with SslBump
- Fix connection retry and fallback after failed server TLS connections
- Fix GnuTLS detection via pkg-config
- Fix startup crash with a misconfigured (too-small) shared memory cache
- ... and some documentation updates
Changes to squid-3.5.12 (28 Nov 2015):
- Bug 4374: refresh_pattern config parser (%)
- Bug 4373: assertion 'calloutContext->redirect_state == REDIRECT_NONE'
- Bug 4228: links with krb5 libs despite --without options
- Fix SSL_get_certificate() problem detection
- Fix TLS handshake problem during Renegotiation
- Fix cache_peer forceddomain= in CONNECT
- Fix status code-based HTTP reason phrase for eCAP-generated messages
- Fix build errors in cpuafinity.cc
- ... and several documentation updates
Changes to squid-3.5.11 (01 Nov 2015):
- Bug 3574: crashes on reconfigure and startup
- Bug 4347: compile errors with LibreSSL 2.3
- Bug 4281: copy-paste typos in src/tools.cc
- Bug 4279: No response from proxy for FTP-download of non-existing file
- Bug 4188: Bumping intercepted SSL connections does not work on Solaris
- Fix incorrect authentication headers on cache digest requests
- Fix connection stats, including %<lp, missing for persistent connections
- Fix invalid memory access issues in SBuf
- Avoid errors when parsing manager ACL in old squid.conf
Changes to squid-3.5.10 (01 Oct 2015):
- Regression Fix cache_peer login=PASS(THRU) after CVE-2015-5400
- Regression Bug 4326: base64 binary encoder rejects data beginning with nil byte
- Bug 4323: Netfilter broken cross-includes with Linux 4.2
- Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules
- Bug 4208: more than one port in wccp2_service_info line causes error
- Bug 4303: PeerConnector.cc:743 "!callback" assertion.
- Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size of SSL hello ciphers
- Relicense ntlm_fake_auth.pl to GPLv2+
- Relicense smb_lm auth helper to GPLv2+
- Relicense SSPI helper to GPLv2+
- ... and several minor performance optimizations
Changes to squid-3.5.9 (17 Sep 2015):
- Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
- Bug 4309: incorrect extensions detection in SSL Hello messages
- Bug 4309: crash during Skype login
- Bug 4284: missing sanity checks for malloc
- Regression Fix: CONNECT request debugging 11,2 traces
- Regression Fix: Quieten UFS cache maintenance skipped warnings
- TLS: Support SNI on generated CONNECT after peek
- ... and some documentation updates
Changes to squid-3.5.8 (02 Sep 2015):
- Regression Bug 4306: build portability fix in Kerberos helpers
- Bug 4302: IPFilter v5 transparent interception
- Bug 4301: compile errors with IPFilter interception
- Bug 4285 partial: %us is not supported in access.log
- Bug 4278: Docs: typo in the refresh_pattern freshness algorithm
- Bug 4242: compile errors with eCAP using clang-3.6
- Bug 3696: crash when client delay pools are activated
- Bug 3553: cache_swap_high ignored and maxCapacity used instead
- Regression Fix: FtpServer.cc:1024: "reply != NULL" assertion
- Fix ignore of impossible SSL bumping actions, as intended and documented
- Fix memory leak in Surrogate-Capability header detection
- Fix truncated body length when RESPMOD service aborts
- Reject non-chunked HTTP messages with conflicting Content-Length values
- Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
- ... and several portability and compile fixes
- ... and several documentation updates
Changes to squid-3.5.7 (01 Aug 2015):
- Bug 4293: wrong SNI sent to server after URL-rewrite
- Bug 4251: incorrect instance name for memory segments in /dev/shm
- Bug 4227: invalid key in AuthUserHashPointer causing assertation failure
- Bug 3345: support %un (any available user name) format code for external ACLs.
- basic_smb_auth: Fix several old issues identified by Debian users
- Support ssl-bump splicing to origin cache_peer
- Fix SSL errors relayed using invalid certificates
- Fix crash in TcpAccepter with profiler enabled
- Fix some cases of ssl_crtd SSL certificate DB corruption
- Fix performance regression in SBuf::chop operations
- Improve handling of client connections on shutdown
- Handle exceptions during squid.conf parse
- Make pod2man an optional dependency
- ... and polishing for several cache.log notification messages
- ... and all fixes from squid 3.4.14
Changes to squid-3.5.6 (03 Jul 2015):
- Bug 4274: ssl_crtd.8 not being installed
- Bug 4193: memory leak on FTP listings
- Bug 4183: segfault when freeing https_port clientca on reconfigure or exit
- Bug 3875: bad mimeLoadIconFile error handling
- Bug 3483: assertion failed store.cc:1866: 'isEmpty()'
- Bug 3329: pinned server connection is not closed properly
- TLS: Disable client-initiated renegotiation
- ext_edirectory_userip_acl: fix uninitialized variable
- Support custom OIDs in *_cert ACLs
- Fix CONNECT failover to IPv4 after trying broken IPv6 servers
- Use relative-URL in errorpage.css for SN.png
- Do not blindly forward cache peer CONNECT responses
- Fix assertion String.cc:221: "str"
- Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone
- Translations: add Spanish US dialect alias
Changes to squid-3.5.5 (28 May 2015):
- Regression Bug 4132: short_icon_urls with global_internal_static on
- Bug 4238: assertion Read.cc:205: "params.data == data"
- Bug 4236: SSL negotiation error of 'success'
- Bug 3930: assertion 'connIsUsable(http->getConn())'
- Fix assertion MemBuf.cc:380: "new_cap > (size_t) capacity" in SSL I/O buffer
- Fix assertion errorpage.cc:600: "entry->isEmpty()"
- Fix comm_connect_addr on failures returns Comm:OK
- Fix missing external ACL helper notes
- Fix "Not enough space to hold server hello message" error message
- Fix segmentation fault inside Adaptation::Icap::Xaction::swanSong
- Prevent unused ssl_crtd helpers being run
- ... and some code cleanup and portability updates
- ... and several documentation updates
Changes to squid-3.5.4 (01 May 2015):
- Bug 4234: comm_connect_addr uses errno incorrectly
- Bug 4231: fd_open() not correctly handling UDS socket descriptions
- Bug 4226: digest_edirectory_auth: found but cannot be built
- Bug 4198: assertion failed: client_side.h:364: "sslServerBump == srvBump"
- Bug 3775: Disable HTTP/1.1 pipeline feature for pinned connections
- Fix require-proxy-header preventing HTTPS proxying and ssl-bump
- Fix Negotiate/Kerberos authentication request size exceeds output buffer size
- Fix SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates
- Add server_name ACL matching server name(s) obtained from various sources
- Add Kerberos support for MAC OS X 10.x
- Support for resuming TLS sessions
- ... and some portability and compile fixes
- ... and several documentation updates
- ... and all fixes from squid 3.4.13
Changes to squid-3.5.3 (28 Mar 2015):
- Regression Bug 4213: negotiate_kerberos_auth: freeing non-dynamic memory
- Regression Bug 4206: Incorrect connection close on expect:100-continue
- Bug 4204: ./configure does not abort when required helpers cannot be built
- Bug 3805: support shared memory on MacOS X in Mem::IPC::Segment
- Bug 2907: high CPU usage on CONNECT when using delay pools
- basic_getpwnam_auth: fail authentication on crypt() failures
- basic_nis_auth: fail authentication on crypt() failures
- ext_kerberos_ldap_group_acl: Heimdal support improvements
- ext_wbinfo_group_acl: Perl 5.20 support
- ... and several compile issues
Changes to squid-3.5.2 (18 Feb 2015):
- Regression Bug 4176: Digest auth too many helper lookups
- Regression Bug 4180: not-fully-initialized data member in ACLUserData
- Bug 4172: Solaris broken krb5-config
- Bug 4073: Cygwin compile errors
- Bug 3919: remove several never-true / never-false comparisons
- HTTPS: Add missing root CAs when validating chains that passed internal checks
- Fix some cbdataFree related memory leaks
- Quieten CBDATA 'leak' messages
- Set SNI information in transparent bumping mode
- negotiate_kerberos_auth: fix krb5.conf backward compatibility
- Fix memory leaks in cachemgr.cgi URL parser
- Fix sslproxy_options in peek-and-splice mode
- ... and fix several portability and build issues
- ... and some documentation updates
- ... and all fixes from squid 3.4.11
Changes to squid-3.5.1 (13 Jan 2015):
- Fix handling of invalid SSL server certificates when splicing connections
- basic_smb_lm_auth: Simplified MSNT basic auth helper
- squidclient: Fix -A and -P options
- ... and several portability fixes
- ... and all fixes from squid 3.4.11
- ... and a lot of documentation updates
Changes to squid-3.5.0.4 (21 Dec 2014):
- Bug 3826: pt 2: Provide a systemd .service file for Squid
- Support http_access denials of SslBump "peeked" connections.
- Fix DONT_VERIFY_DOMAIN ssl flag
- Fix peek-and-splice mode: certificate validation for domain mismatched errors
- negotiate_kerberos_auth: MEMORY keytab and replay cache support
- ... and some documentation updates
- ... and a large amount of code polishing (non-logic changes)
Changes to squid-3.5.0.3 (09 Dec 2014):
- Bug 4146: workaround SSL Bump crash on Linux
- Bug 4135: Support \-escaped characters in regex patterns
- Bug 4131: SIGSEGV at store.cc:962 content_length > store_maxobjsize
- Fix delay_parameters parsing
- HTTP/2: handle 'PRI' method found in HTTP/1.x traffic
- ... and all changes from squid 3.4.10
- ... and a lot of documentation updates
Changes to squid-3.5.0.2 (31 Oct 2014):
- Fix FTP socket opening during reconfigure
- ... and all changes from 3.4.9
- ... and some build errors in rarely used code
- ... and several documentation updates
Changes to squid-3.5.0.1 (17 Oct 2014):
- Port from 2.7: redirector and logging urlgroup feature
- Bug 4093: source-maintenance.sh bad perl -i option
- Bug 3608: per-service name for workers UDS sockets
- Bug 2554: 32-bit wrap in AUFS counters
- Bug 1961 pt1: URL handling redesign
- Bug 1202 pt1: documentation for refresh_pattern algorithms
- Update Squid boilerplate copyright/license
- Update the http(s)_port directives protocol= parameter
- Update forward_max_tries to permit 25 server paths
- Update Kerberos library detection and build options
- Support ACLs on ftp_epsv directive
- Support >32KB objects in cache_dir rock storage
- Support client connection annotation by helpers via clt_conn_tag=TAG
- Support native FTP Relay
- Support libgnugss Kerberos library
- Support libecap v1.0
- Support SSL Peek and Splice feature
- Support receiving PROXY protocol version 1 and 2
- Replace --enable-ssl build option with --with-openssl
- Enable -n service name command line option for all Squid builds
- Enable ICAP client by default
- Fix configuration file parsing bugs, related to quoted strings
- Fix Windows MinGW build errors
- Fix multiple TCP outgoing TOS/DiffServ bugs
- Fix Cygwin /etc/resolv.conf parsing
- Fix crash when sending %ssl::cert_subject to external ACL w/o certificate
- Fix crash reading malformed config files
- Send selected SSL version and cipher to the certificate validation helper
- Validate server certificates without bumping
- Add zero-copy string buffer support
- Add automated squid.conf parser testing with squid -k parse
- Add adaptation_service ACL
- Add logformat code %tS to log transaction start time
- Add logformat code %>rd to log client URL domain name
- Add key_extras to proxy authentication
- Add url_rewrite_extras and store_id_extras directives
- Add send_hit and store_miss directives
- Add collapsed_forwarding directive
- Add sslproxy_cert_sign_hash directive
- Add SMP SSL session cache
- Add cache_peer standby connections
- Add helper ext_delayer_acl
- Add TCP_TUNNEL log code for CONNECT tunnels which are not SSL-bumped
- Add BUILDCXX and BUILDCXXFLAGS configure options for cross-compile
- Remove COSS storage in favour of Rock storage
- Remove dnsserver and external DNS helper API in favour of mDNS
- Remove broken mallinfo() accounting and memory tracing
- Remove hierarchy_stoplist in favour of always_direct
- Deprecate tag ACL type in favour of note ACL type
- Deprecate urlgroup feature in favour of note ACL type
- HTTP/1.1: method names are case-sensitive
- HTTP/1.1: register new headers from RFC 723x
- squidclient: polish and update help display
- squidclient: support TLS with GnuTLS 3.1.5+
- squidclient: support verbosity levels
- squidclient: --ping mode module support
- url_fake_rewrite: support concurrency
- storeid_file_rewrite: support concurrency
- digest_file_auth: support concurrency
- digest_edirectory_auth: support concurrency
- digest_ldap_auth: support concurrency
- ... and many error page translation updates
- ... and much code cleanup and polishing
Changes to squid-3.4.14 (01 Aug 2015):
- Do not blindly forward cache peer CONNECT responses (CVE-2015-5400)
Changes to squid-3.4.13 (01 May 2015):
- Bug 4212: ssl_crtd crashes with corrupt database
- ... and some documentation updates
- ... and all fixes from squid 3.3.14
Changes to squid-3.4.12 (18 Feb 2015):
- Bug 4066: Digest auth nonce indefinite rollover
- Bug 3997: Excessive NTLM or Negotiate auth helper annotations
- Fix several crashes when debugging enabled
- Fix silent SSL/TLS failure on split-stack operating systems
- HTTP/1.1: Stop emitting (Proxy-)Authentication-Info for Negotiate
- HTTPS: Add TLS/SSL option NO_TICKET to http[s]_port
- Remove dst ACL dependency on HTTP request message existence
- Set cap_net_admin when Squid sets TOS/Diffserv packet values
- ... and some documentation updates
Changes to squid-3.4.11 (13 Jan 2015):
- Bug 4164: SEGFAULT when %W formating code used in errorpages
- Bug 4057: Avoid on-exit crashes when adaptation is enabled.
- Bug 3760: squidclient ignores --disable-ipv6
- Bug 3754: configure doesnt detect IPFilter 5.1.2 system headers
- Bug 3664: ssl_crtd fails to build on OpenSolaris/OpenIndiana/Solaris 11
- cachemgr.cgi: memory leak in request parser
- Deleting first fs left psstate->servers pointing to uninitialized memory
- ... and some build issues
Changes to squid-3.4.10 (09 Dec 2014):
- Bug 4148: external_acl_type header format does not accept the new libformat syntax
- Bug 4145: squid_endian.h compile errors with OpenBSD 5.6
- Bug 4033: Rebuild corrupted ssl_db/size file
- Bug 3902: Docs: external_acl_type cache hash key
- Fix segmentation fault in ACL urlpath_regex
- Fix bootstrap.sh dependency on SPONSORS.list
- Alternate-Protocol is a hop-by-hop header
- HTTP/2: Support 421 (Misdirected Request) status code
Changes to squid-3.4.9 (31 Oct 2014):
- Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
- Bug 4102: sslbump cert contains only a dot character in key usage extension
- Bug 4093: source-maintenance.sh errors and warnings due to wrong tools/options
- Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
- Bug 4024: Bad host/IP ::1 when using IPv4-only environment
- Bug 3803: ident leaks memory on failure
- kerberos_ldap_group/cert_tool: Remove ksh dependency
- ... and some automated code style updates
- ... and some documentation updates
Changes to squid-3.4.8 (15 Sep 2014):
- Fix off by one in SNMP subsystem
- pinger: Fix various ICMP handling issues
Changes to squid-3.4.7 (28 Aug 2014):
- Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
- Bug 4080: worker hangs when client identd is not responding
- Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
- HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
- SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
- Enable compile-time override for MAXTCPLISTENPORTS
- ntlm_sspi_auth: Fix various build errors
- negotiate_wrapper: Fix build issues with non-portable vfork()
- negotiate_sspi_auth: Portability fixes for MinGW
- ext_lm_group_acl: Portability fixes for MinGW
- ... and several minor memory leaks
Changes to squid-3.4.6 (25 Jun 2014):
- Regression: segmentation fault logging with %tg format specifier
- Bug 4065: round-robin neighbor selection with unequal weights
- Bug 4056: assertion MemPools[type] from netdbExchangeStart()
- Bug 4050: segmentation fault in CommSelectEngine::checkEvents on helper response
- Fix segmentation fault setting up server SSL connnection
- Fix hanging Non-HTTPS connections on SSL-bump enabled port
- Fix Cache Manager actions listed more than once
- ... and many minor memory leaks
- ... and several portability build issues
- ... and some documentation updates
Changes to squid-3.4.5 (02 May 2014):
- Regression Bug 4051: inverted test on CONNECT payload existence
- Regression Fix: order dependency between cache_dir and maximum_object_size
- Fix logformat %note display
- Resolve 'dying from an unhandled exception: c'
Changes to squid-3.4.4.2 (23 Apr 2014):
- version bump for packaging re-build with altered toolchain
Changes to squid-3.4.4.1 (23 Apr 2014):
- Regression Bug 4019: Cache digest exchange segmentation fault
- Regression Bug 3982: EUI logging and helpers show blank MAC address
- Bug 4047: Support Android builds
- Bug 4043: Remove XMALLOC_TRACE and references to sbrk(2)
- Bug 4041: Missing files in compat/Makefile.am
- Bug 4014: Build failure with --disable-optimizations --disable-auth
- Bug 3986: (partial) assertion due to incorrect error page buffer size
- Bug 3955: Solaris EUI-48 lookup leaks FDs
- Bug 3371: CONNECT with data sent at once loses data
- C++11: Upgrade auto-detection to use the formal -std=c++11
- Crypto-NG: libnettle MD5 algorithm support
- SSL-Bump: Fix Basic auth caching on bumped connections
- Store-ID: Fix request URI when forwarding requests to peers
- ... and fix several other build errors
- ... and some documentation updates
Changes to squid-3.4.4 (09 Mar 2014):
- Bug 4029: intercepted HTTPS requests bypass caching checks
- Bug 4001: remove use of strsep()
- Bug 3186 and 3628: Digest authentication always sending stale=false for nonce
- Fix stalled concurrent rock store reads
- Fix helper ID number assignment
- Fix build failures from CMSG related definitions
- Fix build failures from libcompat unsafe.h protections
- Copyright: Relicense helpers by Treehouse Networks Ltd.
- ... and all bug fixes from 3.3.12
Changes to squid-3.4.3 (02 Feb 2014):
- Bug 4008: HttpHeader warnOnError should be an int not a bool
- Bug 4002: clang 3.4 unable to compile
- Bug 3996: Malformed DNS reply leads to crash
- Bug 3995: compile error on CentOS 5 with GCC 4.1.2
- Bug 3975: atomic detection cross-compilation failure
- Bug 3971: "cannot aggregate mgr:client_list: cmd->profile != NULL" in SMP mode
- Bug 3954: compile failure in CpuAffinity.cc
- Bug 3927: tests/testRock fatal.cc required
- Fix memory leak in peer Cache Digest exchange
- Fix external_acl_type async loop failures
- Fix destination IP address cycling
- ... and a few polishing changes
Changes to squid-3.4.2 (30 Dec 2013):
- Regression Bug 3980: FATAL ERROR due to max_user_ip -s option
- Regression Fix: \-unescaping in quoted strings from helpers
- Regression Fix: URL helper API bypassing on URL containing '=' character
- Bug 3985: 60s limit introduced by balance_on_multiple_ip breaks bad IP recovery
- Bug 3806: Caching responses with Vary header
- Bug 3498: FTP PUT assertion
- WCCPv2: Fix assertion 'Cannot convert non-IPv4 to IPv4' on FreeBSD
- Enable concurrency by default for SSL certificate validator
- ... and fix several build errors
Changes to squid-3.4.1 (09 Dec 2013):
- Bug 3935: Invalid pointer dereference when peeking at origin server certificate
- Bug 3589: intercepted and ICAP modified request using a cache_peer
- ... and several portability fixes
- ... and some documentation updates
Changes to squid-3.4.0.3 (01 Dec 2013):
- Bug 3941: Release notes error
- Receive annotations from authentication and external ACL helpers
- basic_nis_auth: Improved portability
- ... and several documentation updates
- ... and all bug fixes from 3.3.9, 3.3.10, 3.3.11
Changes to squid-3.4.0.2 (03 Oct 2013):
- Regression Bug 3891: squid.conf parser errors in 3.4.0.1
- Regression Fix: re-disable MinGW C++11 support
- Bug 3914: partial: make squidclient tool build cleanly with -Wconversion
- Fix memory leak in refresh_pattern parsing
- negotiate_kerberos_auth: upgrade to present group= keys
- Handle NTLM helper returning OK without user= value
- Add dns_multicast_local to control mDNS operation
- Add --disable-arch-native build option
- Display Build-Info in cache manager info report
- ... and all changes from squid 3.3.9
- ... and some code and debug output polishing
Changes to squid-3.4.0.1 (29 Jul 2013):
- Port from 2.7: StoreURL (renamed Store-ID) support
- Bug 3795: fix several mistakes in the MIB file
- Bug 3793: configure: improved helper detection
- Bug 3722: Invalid markup in Armenian hy ERR_ONLY_IF_CACHED_MISS
- Bug 3676: Support GCC 4.7 with -Wshadow option
- Bug 3643: NTLM helpers stuck in reserved state by Safari
- Bug 3389: Auto-reconnect for tcp access_log
- Bug 2066: squid does not do chdir() after chroot()
- Fix uninitialized fields in IcapLogEntry
- Fix a number of minor issues detected by Coverity Scan
- Fix some potential memory leaks detected by Coverity Scan
- Fix 64-bit support for Intel compiler suite (ICC) and other similar compilers
- Fix ACL matching algorithm to avoid repeating tests
- basic_pam_auth: Add -r option to strip NTLM/Negotiate domain from username
- squidpurge: fix META TLV parsing issues
- squid.conf: enforce all the directive and option names are lower-case
- Support EUI on HTTPS and FTP data connections
- Support OK/ERR/BH response codes from any helper
- Support No-lookup flag (-n) on DNS ACLs
- Support -march=native compiler optimization by default
- Support forwarding intercepted but not bumped connections to cache_peers
- Support IPv6 NAT interception on Linux and some BSD
- Deprecate log_icap and log_access configuration directives
- HTTP/1.1: improved method invalidation and cacheability detection
- HTTP/1.1: support length configuration for pipeline_prefetch queue
- Improved TPROXY support for OpenBSD and FreeBSD
- Add storeid_file_rewrite helper to perform Store-ID rewrites from a rules file
- Add all-of and any-of ACL types for grouping sets of ACL tests
- Add note directive for transaction annotations
- Add %note log format for transaction annotation logging
- Add note ACL type for matching annotated transactions with by annotation name or value
- Add kv-pair support to URL-rewrite/redirector interface
- Add SSL server certificate validator interface, helper and result cache
- Add SSL server certificate fingerprint ACL type
- Add spoof_client_ip access control
- Add pt-bz (Belize Portuguese) dialect to translations
- ... and many Windows portability changes (still incomplete)
- ... and many documentation changes
- ... and much code cleanup and polishing
Changes to squid-3.3.14 (01 May 2015):
- Bug 4093: source-maintenance.sh errors and warnings due to wrong tools/options
- ... and some documentation updates
- ... and all fixes from squid 3.2.14
Changes to squid-3.3.13 (28 Aug 2014):
- Fix segmentation fault setting up server SSL connnection
- HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
Changes to squid-3.3.12 (09 Mar 2014):
- Regression Bug 3769: client_netmask not evaluated since Comm redesign
- Bug 4026: Fix SSL and adaptation_access handling of aborted connections
- Bug 3969: Fix credentials caching for Digest authentication
- Bug 3806: Caching responses with Vary header
- Fix umask default on crash report generated email
- Fix pthread library detection on FreeBSD 10
- Avoid assertions on Range requests that trigger Squid-generated errors.
Changes to squid-3.3.11 (01 Dec 2013):
- Regression Bug 3936: error-details.txt parse error with OpenSSL since 3.3.9
- Bug 3972: Segfault when getting the deny_info page ID after a reconfigure
- Bug 3970: max_filedescriptors disabled due to missing setrlimit
- Bug 3967: ipc/Kid.cc compilation failure: 'time' was not declared in this scope
- Bug 3960: DEAD cache_peer are not revived
- Bug 3956: xstrndup: tried to dup a NULL pointer
- Bug 3906: Filedescriptor leaks in SNMP
- Bug 3782: Digest authentication not obeying nonce_max_count
- HTTP/1.1: Make header parser obey relaxed_header_parser
- HTTP/1.1: Re-compute Range response content offset after an FTP response was adapted
- SMP: Replace blocking sleep(3) and close UDS socket on failures
- Windows: fix several compile errors
Changes to squid-3.3.10 (03 Nov 2013):
- Bug 3929: request_header_add not working for tunnel requests
- Bug 3923: cbdata and undefined behavior due to dynamic runtime enumeration
- Bug 3918: Self Test Failures on Mac OS X 10.8
- Bug 3887: tcp_outgoing_tos not working for IPv6
- Bug 3836: Fix issues with automake 1.13+ and make check
- Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
- Fix pinning hierarchy log information
- Fix close idle client connections associated with closed idle pinned connections.
- Fix cbdata 'error: expression result unused' errors
- Avoid "hot idle": A series of rapid select() calls with zero timeout.
- Append Connection:close to OPTIONS requests when icap_persistent_connections is off
- ntlm_fake_auth: pass DOMAIN data to Squid in original case
- kerberos_ldap_group: fix LDAP string duplication
- Use IPv6 localhost nameserver on DNS configuration errors
- Add cache_miss_revalidate
- ... and several portability improvements
Changes to squid-3.3.9 (11 Sep 2013):
- Regression Bug 3077: off-by-one error in Digest header decoding
- Bug 3895: fix acl_uses_indirect_client and cache_peer_access
- Bug 3879: assertion failed ConnStateData::validatePinnedConnection
- Bug 3863: myportname acl causes segmentation fault
- Bug 3849: Duplicate certificate sent when using https_port
- Bug 2287: Better fix for unsupported HTTP version handling
- Bug 2112: Reload into If-None-Match
- Fix several assert with side effects in ICAP/eCAP response handling
- Fix myportname ACL on ICAP/eCAP transactions
- Fix external ACL user:pass detail logging after adaptation
- Fix SMP mgr:info report 'Largest file desc currently in use'
- Handle infinite certificate validation loops caused by OpenSSL Bug 3090.
- Improved compatibility with gcc 4.8, clang and icc
- Show number of available filedescriptors when reserved FD changes
- Sync with newest OpenSSL error codes
- Register Http2-Settings header
- ... and many Windows portability fixes
Changes to squid-3.3.8 (13 Jul 2013):
- Bug 3869: assertion failed: MemBuf.cc:272: size < capacity
- Improved handling of port values in Host: header validation
Changes to squid-3.3.7 (11 Jul 2013):
- Bug 3297: Fix openSSL related build failures
- Fix build on FreeBSD 9.x platform with clang
- Protect against buffer overrun in DNS query generation
Changes to squid-3.3.6 (01 Jul 2013):
- Bug 3854: pt1: compile errors on AIX
- Bug 3802: Fix wrong check inside Format::Format::assemble
- Bug 3762: remove bogus WARNING in cache.log
- Bug 3717: assertion failed with dstdom_regex with IP based URL
- Bug 1991: kqueue causes SSL to hang
- Ask for SSL key password when started with -N but without sslpassword_program
- Make sure %<tt includes all [failed] connection attempts
- Support HTTP reply ACLs in icap_log and log_icap
- Fix incorrect external_acl_type codes
- Fix ICAP logging request headers and segmentation faults
- ... and some documentation polish
Changes to squid-3.3.5 (20 May 2013):
- Bug 3851: Delay Pool class 5 tag:levels displayed incorrectly in cache manager
- Bug 3845: http_port tcpkeepalive= option fails parsing
- Bug 3840: assertion failed 'sde' in UFS cache loading
- Bug 3836: make check failures with automake-1.13
- Bug 3827: Remove AccessLogEntry::cache.authuser
- Bug 3816 pt2: SSL_get_certificate call inside Ssl::verifySslCertificate crashes
- Bug 3780: cachemgr.cgi: output problem in HTTP Header Statistics
- Bug 3759: OpenSSL compilation error on stock Fedora17, RHEL, CentOS 6 systems
- Bug 3744: squid terminated: FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all
- Port from 2.6: external acl %ACL and %DATA tags
- Update copyright on SN.png
- ... and several minor memory leaks
- ... and some documentation polish
Changes to squid-3.3.4 (27 Apr 2013):
- Bug 3831: basic_ncsa_auth Blowfish and SHA support
- Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes
- Bug 3794: MacOS: workaround compiler errors and case-insensitivity
- Bug 3781: Proxy Authentication not sent to cache_peer
- Bug 3720 pt1: SourceLayout: shuffle fd_table definition into fde.h
- Bug 3720 pt2: Add missing include in /dev/poll I/O module
- Bug 3674: Improve compiler detection, better support warnings-as-errors on clang
- Add support for TPROXY on BSD
- Fix SSL Bump bypass for intercepted traffic
- Fix memory leaks in ConnStateData pinning
- Fix external_acl.cc "inBackground" assertion on queue overloads
- CacheMgr: fix missing column separator in helper stats
- OpenBSD: libpthreads requires OpenBSD 5.2 or later
- ... and lots of documentation updates
- ... and all changes from squid 3.2.10
Changes to squid-3.3.3 (12 Mar 2013):
- Bug 3720: Add missing include in /dev/poll I/O module (pt2)
- ... and all changes from squid 3.2.9
Changes to squid-3.3.2 (02 Mar 2013):
- Bug 3781: Proxy Authentication not sent to cache_peer
- Bug 3794: MacOS: workaround compiler errors
- Bug 3720: Compile error in Solaris /OpenIndiana
- ... and all changes from squid 3.2.8
Changes to squid-3.3.1 (09 Feb 2013):
- Bug 3726: build errors with --disable-ssl
- Propigate pinned connection persistency and closures to the client.
- Mimic SSL certificate Key Usage and Basic Constraints
- Fix segmentation fault on missing squid.conf values
- ext_sql_session_acl: Fix hex decoding on UID
- ... and some code polish
- ... and a lot of documentation polish
- ... and all changes from squid 3.2.7
Changes to squid-3.3.0.3 (09 Jan 2013):
- Bug 3729: 32-bit overflow in parsing 64-bit configuration values
- Bug 3728: Improve debug for cache_dir
- Additional fixes for CVE-2012-5643 / SQUID:2012-1
- kerberos_ldap_group: support multiple groups in squid.conf ACL definition
- kqueue: update status from experimental to fully available net I/O method
- ... and many memory leaks and potential bugs detected by Coverity Scan
Changes to squid-3.3.0.2 (03 Dec 2012):
- Support matching empty header field values using req_header and rep_header
- ... and some minor code polish and input vaidations
- ... and all changes from squid 3.2.4
Changes to squid-3.3.0.1 (21 Oct 2012):
- Bug 3610: Add peername_regex ACL
- Bug 3239: rename myip/myport as localip/localport
- Bug 3130: helpers are crashing too rapidly
- Add log_db_daemon SQL Database Logging Daemon
- Add ext_time_quota_acl helper managing sessions by bandwidth usage
- Add request_header_add option
- Support C++11 features where possible
- Support bump-ssl-server-first
- Support mimic SSL server certificates
- Remove --enable-ntlm-fail-open
- Fix TLS/SSL Options does not apply to the dynamically generated certificates
- Fix SslBump stuck after error
- Polish: display ACL enumeration text in debugs
- ... and many portability fixes for MacOS X, Windows and others
- ... and many compile error fixes
- ... and a very large amount of code polish for faster compilation
Changes to squid-3.2.14 (01 May 2015):
- Fix 'access_log none' to prevent following logs being used
- Fix X509 server certificate domain matching
- ... some documentation updates
Changes to squid-3.2.13 (13 Jul 2013):
- Bug 3869: assertion failed: MemBuf.cc:272: size < capacity
- Improved handling of port values in Host: header validation
Changes to squid-3.2.12 (11 Jul 2013):
- Protect against buffer overrun in DNS query generation
- Avoid !closing assertions when helpers call comm_read during reconfigure.
- Fix several minor memory leaks during reconfigure
- Remove origin_tries limiter on forwarding and permit large max_forward_tries values
Changes to squid-3.2.11 (30 Apr 2013):
- Regression Bug 3839: build error: src/tools.h: No such file or directory
- Update copyright on SN.png
Changes to squid-3.2.10 (27 Apr 2013):
- Bug 3833: squidclient: Option '-k' is not present in man(1) page
- Bug 3825: basic_ncsa_auth: segfaulting with glibc-2.17
- Bug 3822: Locate LDAP and SASL headers for BSD support
- Bug 3817: Memory leak in SSL cert validate for alt_name peer certs
- Bug 3774: 'squid -k reconfigure' drops rock cache
- Bug 3565: Resuming postponed accept kills Squid
- HTTP/1.1: partial support for no-cache and private controls with parameters
- ssl_crtd: fix helpers dying during startup on ARM
- GNU Hurd: define MAP_NORESERVE as no-op when missing
- BSD: fix enter_suid/leave_suid build errors in ip/Intercept.cc
Changes to squid-3.2.9 (12 Mar 2013):
- Regression fix: Accept-Language header parse
- Bug 3673: Silence 'Failed to select source' messages
- Fix authentication headers sent on peer digest requests
- Fix build error on Solaris, OpenIndiana, Omnios
Changes to squid-3.2.8 (02 Mar 2013):
- Bug 3767: tcp_outgoing_tos/mark ACLs do not obey acl_uses_indirect_client
- Bug 3763: diskd Error: no filename in shm buffer
- Bug 3752: objects that cannot be cached in memory are not cached on disk
- Bug 3753: Removes the domain from the cache_peer server pconn key
- Bug 3749: IDENT lookup using wrong ports to identify the user
- Bug 3723: tcp_outgoing_tos/mark broken for CONNECT requests
- Bug 3686: cache_dir max-size default fails
- Bug 3515: crash in FtpStateData::ftpTimeout
- Bug 3329: Quieten orphan Comm::Connection messages
- Make squid -z for cache_dir rock preserve the rock DB
- Fixed several server connect problems
- ... and some build issues on Solaris, OpenIndiana, MacOS X
- ... and some documentation and debugs polishing
Changes to squid-3.2.7 (01 Feb 2013):
- Bug 3736: Floating point exception due to divide by zero
- Bug 3735: raw-IPv6 domain URLs crash if IPv6-disabled
- Bug 3732: Fix ConnOpener IPv6 awareness
- Bug 3729: 32-bit overflow in parsing 64-bit configuration values
- Bug 3728: Improve debug for cache_dir
- Bug 3687: unhandled exception: c when using interception and peers
- Bug 3678: external acl grace period causes acl lookup failures
- Bug 3567: Memory leak handling malformed requests
- Bug 3111: Mid-term fix for the forward.cc "err" assertion
- Support OpenSSL NO_Compression optio
- Fix IPv6 enabled pinger on split-stack or IPv6-disabled systems
- Fix "address.GetPort() != 0" assertion for helpers
- ... and several minor memory leaks
- ... and some cache.log message polishing
Changes to squid-3.2.6 (09 Jan 2013):
- Regression Bug 3731: TOS setsockopt() requires int value
- Regression Bug 3712: Rotating logs overwrites the previous log
- Bug 3727: LLVM compile errors in kerberos_ldap_group
- Bug 3650: Negotiate auth missing challenge token
- Additional fixes for CVE-2012-5643 / SQUID:2012-1
Changes to squid-3.2.5 (10 Dec 2012):
- Bug 3698: Add missing include of errno.h
Changes to squid-3.2.4 (03 Dec 2012):
- Ported: urllogin ACL from squid 2.7
- Bug 3688: Lots of Orphan Comm:Connections to ICAP server
- Bug 3677: Port un-pinning logic changes from squid 3.3
- Bug 3405: ssl_crtd crashes failing to remove certificate
- ... and major bugs fixed in squid 3.1.22
- Fix accept_filter on Linux
- Remove 'Bungled' warning on missing component directives
- ... and many buffer and memory leak issues in the bundled helpers
- ... and a small amount of code polishing
Changes to squid-3.2.3 (21 Oct 2012):
- Regression: SMP crashes on startup with workers > 1
- Bug 3655: pinning failure breaks NTLM and Negotiate authentication
- SMP: Allow a UFS cache_dir entry to coexist with a shared memory cache entry
- HTTP/1.1: honour Cache-Control before Pragma:no-cache
- HTTP/1.1: Cache-Control compliance upgrade
- Remove obsoleted refresh_pattern ignore-no-cache option
- Fix IPv6 enabled squidclient
- ... and several compile fixes
Changes to squid-3.2.2 (06 Oct 2012):
- Regression: Make login=PASS send no credentials when none available
- Regression: Handle dstdomain duplicates and overlapping names better
- Bug 3661: Segmentation fault when using more than 1 worker
- Bug 3660: ACLFilledChecklist::fd set with wrong fd for sslproxy_cert_error
- Bug 3658: ERR_ZERO_SIZE_OBJECT propagates out even after successful retry
- Bug 3648: polish String class files
- Bug 3647: parsing hier_code acl fails
- Bug 3626: forwarding loops on intercepted traffic
- Bug 3616: retrieve client connection for ACL checks from the related HttpRequest object
- Bug 3609: several RADIUS helper improvements
- Bug 3605: memory leak in Negotiate authentication
- Fix small memory leak in src ACL parse
- Fix maximum_single_addr_tries upgrade
- Fix chunked encoding on responses carrying a Content-Range header.
- Do not reuse persistent connections for PUTs to avoid ERR_ZERO_SIZE_OBJECT
- ... and several compile errors
Changes to squid-3.2.1 (15 Aug 2012):
- Bug 3605: memory leak in peer selection
- Bug 3478: better default handling without -DSTRICT_ORIGINAL_DST
- ... and some documentation updates
Changes to squid-3.2.0.19 (02 Aug 2012):
- Regression Bug 3580: IDENT request makes squid crash
- Regression Bug 3577: File Descriptors not properly closed
- Regression Bug 3478: Allow peer selection and connection auth on intercepted traffic
- Regression Fix: Restore memory caching ability
- Bug 3556 Workaround: epoll assertion failed: comm.cc:1093: isOpen(fd)
- Bug 3551: store_rebuild.cc:116: "store_errors == 0" assertion
- Bug 3525: Do not resend nibbled PUTs and avoid "mustAutoConsume" assertion.
- Avoid bogus "Disk space over limit" warnings when rebuidling dirty ufs index
- Support custom headers in [request|reply]_header_* manglers
- ... and much code polishing
Changes to squid-3.2.0.18 (29 Jun 2012):
- Bug 3576: ICY streams being Transfer-Encoding:chunked
- Bug 3537: statistics histogram leaks memory
- Bug 3526: digest authentication crash
- Bug 3484: Docs: sslproxy_cert_error example flawed
- Bug 3462: Delay Pools and ICAP
- Bug 3405: ssl_crtd crashes failing to remove certificate
- Bug 3380: Mac OSX compile errors with CMSG_SPACE
- Bug 3258: Requests hang when Host forgery verify fails
- Bug 3186: Digest auth caches failed state without revalidating
- Bug 2976: ERR_INVALID_URL for transparently captured requests when reconfiguring
- Bug 2885: AIX: check and set required compiler flags
- Fix ssl_crtd compile issues with libsslutil
- Fix build with GCC 4.7 (and probably other C++11 compilers).
- Fix double-escape of %R on deny_info redirect responses
- Support status 308 Permanent Redirect
- Support for TLSv1.1 and TLSv1.2 options and methods
- Support passing external_acl_type credentials on ICAP
- Language Updates: fr, hy, pt_BR
- ... and many compile issues on Windows
- ... and some minor code polish
Changes to squid-3.2.0.17 (12 Apr 2012):
- Bug 3527: EUI compile errors on Mac OS X 10.5.8 PPC
- Bug 3509: kQueue compile error
- Bug 3505: crash in CbcPointer<Comm::ConnOpener> constructor
- Bug 3441: Part 3: Replace corrupted v1 swap.state with new v2 format.
- Bug 3397: do not mark connection as opened until after SYN-ACK
- Bug 3193: NTLM decoder truncating strings
- Windows FD handling polish and some fixes
- Solaris 9/10 various build fixes
- ... and some more code polish
Changes to squid-3.2.0.16 (07 Mar 2012):
- Bug 3508: Correct DNS timeout handling.
- Bug 3503: DNS PTR queries timeout due to wrong QIDs.
- Bug 3497: Bad ssl_crtd db size file causes infinite loop
- Bug 3490: part 1: SegFault opening FTP active data connections
- Bug 3490: Crash writing Apache Common and Referer/Useragent logs
- Bug 3458: Icon Serving (squid-internal-static) Broken
- Bug 3457: Display TLS error details in ERR_SECURE_CONNECT_FAIL
- Bug 3381: 32-bit overflow assertion in StatHist
- Bug 3324: loadFromFile: parse error while reading template file
- Support sslpassword_program for ssl-bump HTTP ports
- Support CoAP protocol coap:// and coaps:// URL schemes in HTTP requests
- Retry requests that failed due to a persistent connection race
- Log '-' on requests with no Referer or User-Agent headers
- ... and several fixes related to in-transit object performance
- ... and some structural design changes for portability
Changes to squid-3.2.0.15 (06 Feb 2012):
- Bug 3472: segfault with the message 'urlParse: URL too large'
- Bug 3471: segfault when %la formating code used
- Bug 3449: part 3: shm_open can fail with a mangled path
- Bug 3449: part 4: shm_open failed (fixing memory_cache_shared defaults)
- Bug 3448: 204 response problem in adaptation chains
- Bug 3447: assertion failed: CommCalls.h:150: "dp"
- Bug 3461: build regression in IPFilter NAT
- Bug 3413: raise cbdata lock limits
- Bug 3391: forwarded_for log functionality broken
- Bug 3268: Squid cannot do anything else during ufs/diskd rebuild
- Bug 3268: remove wrong 'Ready to serve requests.' message
- Bug 2519: ssl_bump + Authentication (LDAP Digest) issues
- Disable OpenSSL SSL/TLS bug workarounds by default
- Send DNS A and AAAA queries in parallel
- Cache Manager migration support
- Allow service of internal requests over reverse-proxy ports
- Fix trimMemory for unswappable objects
- ... and several build and polish fixes
Changes to squid-3.2.0.14 (12 Dec 2011):
- Bug 3433: Segfault closing SNMP
- Bug 3420: Request body consumption races and !theConsumer exception.
- Bug 3406: SSL Log Error in debug
- Bug 3383: store.cc:1631: "new_status != IN_MEMORY" assertion
- Bug 3383: unhandled exception: theGroupBSize > 0
- Bug 3377: assertion failed: store.cc:885: "store_status == STORE_PENDING"
- Bug 3367: fix inverted check on host_strict_verify
- Bug 3366: assertion comm.cc:1276: isOpen(fd) via CompositePoolNode::kickReads
- Bug 3364: SNMP Orphans
- Bug 3301: ERR_DNS_FAIL never shown
- Bug 3150: do not start useless unlinkd
- ext_session_acl: version 1.2
- Add adaptation_meta option
- Add a mask on the qos_flows miss configuration value
- Support intermediate CA in ssl-bump traffic certificates
- Support SSL certificate failure details on error page
- Fix flags for NAT intercept and TPROXY not set correctly
- Fix fastCheck() default result on multi-line actions
- Fix missing SMP shared memory statistics
- Fix Comm::Write closing() assertion when retrying a failed UDP DNS query
- ... and several other TCP and SMP support behaviour fixes
- ... and many code polishing cleanups and fixed build errors
- ... and several documentation polishings
Changes to squid-3.2.0.13 (14 Oct 2011):
- Regression Bug 3363: never_direct always 'unable to forward this request at this time'
- Regression Bug 3351: FTP timeout causing "store_status == STORE_PENDING" assertion
- Regression Bug 3336: reconfigure assertion 'hlp->childs.n_running > 0'
- Regression fix: always_direct/never_direct failures
- Regression fix: stop an SSL header file being included after --disable-ssl
- Regression fix: parse HTTP list headers with embedded 8-bit characters
- Bug 3355: configure setting --with-swapdir ignored
- Bug 3325: option to selectively enable strict host verify checks
- Bug 3337: HTTP status 200 is not accepted for deny_info
- Bug 3077: '\' in url query strings cause Digest authentication to fail
- Support SMP worker shared memory cache
- Support SMP worker shared disk cache (rock)
- ext_session_acl: version 1.1
- Fix Host verify: do not pinn destination IP if URL re-write has been done
- Fix IPF interception
- Fix ssl_crtd "Cannot add certificate to db" when updating expired cert
- Fix ssl_crtd CertificateDB locking scheme
- ... and all changes from 3.1.16
- ... and many compile and polishing fixes
Changes to squid-3.2.0.12 (17 Sep 2011):
- Regression Bug 3335: ICAP service is down
- Regression Bug 3322: adapt:: and icap:: format codes do not parse
- Regression Bug 3303: Support for non-English usernames in log files
- Regression Bug 3259: assertion failed: Connection.cc:29: 'fd<0' after REVIVED PARENT
- Regression: %I shows hostname on SSL error page
- Regression: FTP outgoing port always 'in use' on PASV connections
- Bug 3337: (partial) status 200 is not accepted for deny_info
- Bug 3319: Inconsistencies in error messages
- Bug 3281: pconn in-use while closing assertion
- Bug 3243: Fix cases: raw-IPv6, case variant FQDN, internal request
- Fixed max-stale check. Entities not exceeding max-stale were marked as stale
- Adjust format code %la for intercepted connections
- Log ICAP_ERR_GONE ICAP transaction outcome when ICAP initiator disappears early
- Send RST packet when closing an ICAP connection after a transaction error
- Support maximum field width for string access.log fields
Changes to squid-3.2.0.11 (28 Aug 2011):
- Bug 3243: CVE-2009-0801 Bypass of browser same-origin access control
- Host: authority validation of intercepted destination IP
- Host: authority validation of request URL
- Host: authority validation of CONNECT tunnel destination
- Preserve client destination IP in intercepted communication
- Regression Bug 3316: Failed to connect to nameserver using TCP
- Regression Bug 3311: segmentation fault in getMyPort() with only intercept port set
- Regression Bug 3310: %<pt translates as %<p
- Regression Bug 3301: ERR_DNS_FAIL never shown (partial)
- Regression Bug 3288: %<la and %<lp not displaying
- Bug 3289: cache manager parameters not parsed without password
- Bug 2279: Log Format options to log server source IP and port
- Bug 3211: ssl_crtd start even if no ssl-bump port is configured
- Bug 3138: squidclient mgr:objects/mgr:vm_objects never ends
- Bug 3118: ecap_enable on forces icap_enable on
- Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes
- Default to vhost for accelerator mode (reverse proxy)
- Display HTTP protocol syntax at section 11 level 2
- Support for using custom keys in CARP parents
- Optimize regular expression ACLs
- ... and a lot of code portability fixes
- ... and all bugs and polish changes from 3.1.15
Changes to squid-3.2.0.10 (24 Jul 2011):
- Port from 2.7: act-as-origin for reverse proxy ports
- Regression fix: broken --disable-ipv6
- Regression fix: negative cacheing on unknown or -1 expiry timestamp
- Regression fix: vhost and defaultsite causing vport to be ignored
- Regression fix: several errors in persistent connection handling
- Regression Bug 3280: allow max-size unset and min-size=N for large objects
- Regression Bug 3245: reconfigure assertion in MemPools[type]
- Regression Bug 3274: assertion failed: CommCalls.h:144: "dp"
- Regression Bug 3273: assertion comm.cc:775: Comm::IsConnOpen(conn)
- Regression Bug 3269: cache.log applyQueryParams messages
- Regression Bug 3264: Segmentation Fault in src/ipc/Strand.cc(54) receive: 3
- Regression Bug 3246: assertion client_side.cc:1407 connIsUsable(http->getConn())
- Bug 3267: workers IPC mount points disobey --localstatedir
- Bug 3248: login=NEGOTIATE sends wrong auth header to origin peers
- Bug 3247: Domain from URL Stripped when going through peers
- Bug 3244: wrong port for peer relayed requests
- Bug 3195: kerberos_ldap_group will not build without kerberos
- Bug 2862: add http(s):// support to cache manager
- kerberos_ldap_group: several fixes to -S option
- ssl_crtd: Add man(8) file
- ... and several pieces of code cleanup and polishing.
- ... and most bug fixes and updates from 3.1.14 and 3.1.15
Changes to squid-3.2.0.9 (18 Jun 2011):
- Bug 3159: delay pools --disable-auth compile problems
- HTTP/1.1: Support multiline quoted-string header fields
- HTTP/1.1: Send 505 Unsupported Version on mangled version codes
- Support configurable and translated SSL error details messages
- Add log format codes for split client/server views of HTTP request line
- Major upgrade of TCP connection handling
- Support split-stack IPv6 to servers
- Support persistent connections with tcp_outgoing_address/tcp_outgoing_tos
- Optimized persistent connection handling
- Optimized FTP data connection handling
- Optimized TCP failure recovery
- ... and all bug fixes and updates from 3.1.12.3
- ... and many code polish, documentation and translation cleanups
Changes to squid-3.2.0.8 (30 May 2011):
- Bug 3214: "helperHandleRead: unexpected read from ssl_crtd" errors.
- Bug 3043: Properly detect Iphlpapi.h on windows
- Bug 2055: Honor ICAP Max-Connections
- Fix NTLM/Negotiate reply auth PASSTHRU to peers
- Support SSL SNI to origin servers
- Add %EXT_LOG and %EXT_TAG external_acl_type format options
- Add %b tag for proxy listening port display in error pages
- Optimize base64 encoding/decoding
- Require libcap before enabling netfilter MARK support
- Require libtool 2.2
- Bundle pkg.m4 from pkg-config 0.25 for OS without pkg-config
- ... and all bug fixes and updates from 3.1.12.2
- ... and some documentation and code polishing
Changes to squid-3.2.0.7 (19 Apr 2011):
- Regression fix: NTLM and Negotiate auth assertion "RefCountCount() == 2"
- Regression fix: icons/ FHS compliance
- Regression fix: Startup aborts with URL error when --disable-htcp
- Bug 3192: comm.cc:216: "fd_table[fd].halfClosedReader != NULL"
- Add negotiate_wrapper_auth version 1.0.1
- Fixed %dt logging in the presence of REQMOD
- Fixed chunked request forwarding in ICAP REQMOD presence
- ... all bug fixes and updates from 3.1.12.1
- ... many code polishings and display cleanups
Changes to squid-3.2.0.6 (04 Apr 2011):
- Regression fix: upgrade existing icons
- Regression fix: do not crash when accessing an SSL certificate with errors
- Regression fix: prevent stdio log module segfaults on rotate
- Regression fix: shutdown properly even if a worker process crashes on exit
- Regression Bug 3159: (partial fix) ICAP and --disable-auth compile problems
- Bug 3170: "Unsupported or unconfigured/inactive proxy-auth scheme" on shutdown
- Bug 3105: malformed Proxy-Authorization leaks memory
- Bug 3007: CONNECT to cache_peer returns 000 status code
- Bug 2885: Compile errors on AIX
- Support parameterized Cache Manager queries
- Support libecap v0.2.0; fixed eCAP body handling and logging
- Support dynamic adaptation plans that cover multiple vectoring points
- Support %D details for documented OpenSSL errors
- Support logging of all transactions including those with uncertain status or no sent response
- Updrate negotiate_kerberos_auth to version 3.0.4sq
- Update ext_kerberos_ldap_group_acl to version 1.3.0sq
- Update ext_edirectory_userip_acl to version 2.1
- Convert dns_timeout and dns_retransmit_interval directives to use millisecond resolution
- Change the default dns_timeout value from 2 minutes to 30 seconds
- Fix TCP log stream flushing on every line
- ... all bug fixes and updates from 3.1.12
- ... a great many compiler portability fixes
- ... many code polishings and display cleanups
Changes to squid-3.2.0.5 (12 Feb 2011):
- Regression Fix: profiler should not be built by default
- Regression Bug 3081: assertion failed: AsyncCallQueue
- Regression Bug 2948: Requests for FTP active downloads cause failed assertion
- Bug 3089: FTP command output overrides directory listing
- Bug 2870: --disable-auth does not work
- Bug 2586: multiple memory leaks during reconfigure
- Bug 2581: FTP directory listing sometimes fails
- Port from 2.7: maximum staleness limits
- HTTP/1.1: Support RFC 5861 Cache-Control: stale-if-error option
- HTTP/1.1: Support configurable status codes for deny_info
- Support upcoming "fresh message creation" eCAP API
- Aggregate SNMP responses when using SMP with multiple workers
- Several more Solaris, Windows and ICC support fixes
- ... all bug fixes and updates from 3.1.11
- ... and more code cleanup shufflings
- ... and several documentation updates
Changes to squid-3.2.0.4 (22 Dec 2010):
- Port 2.x: cache_dir min-size setting
- Bug 3059: Crash on digest auth headers with unknown nonce
- Fix cachemgr reported HTTP/ICP requests/messages per minute when multiple workers used
- Fix cachemgr mem-pools reporting
- Add Dynamic SSL certificate generation
- Add useragent, referer, combined built-in log formats
- Obsolete log_fqdn directive
- Obsolete useragent/referer/forward_log directives
- HTTP/1.1: Send 1.1 on CONNECT responses
- Updated Kerberos support for newer GSSAPI releases
- Improve handling of adapted body delivery failures in REQMOD request satisfaction mode
- Improve handling of early eCAP transaction failures
- Various ext_edirectory_acl fixes
- ... all bug and feature fixes included in 3.1.10 release
- ... and a lot of code and documentation polishing
Changes to squid-3.2.0.3 (07 Nov 2010):
- Regression fix: SMP broke ICP outgoing IP lookup if no udp_outgoing_addr set
- Regression fix: ESI processing of Surrogate filter
- Bug 3091: bypassed ICAP errors are not counted as service failures
- Bug 3048: "commio_has_callback(fd, IOCB_READ, ccb)" assertion.
- Bug 3038: Detatch libmisc from libcompat
- Bug 3028: Permit wbinfo_group.pl to authenticate Kerberos users with NT domain
- Bug 3002: store initialization (-z) does not work with SMP configs
- Bug 2999: v2.0 of ext_edirectory_userip_acl
- Bug 2785: DNS needs to set EDNS options advertising Squid capabilities
- Bug 595: Add %err_code and %err_detail logformat codes for transaction failures
- HTTP/1.1: support If-Match and If-None-Match requests
- HTTP/1.1: forward 1xx control messages to clients that support them
- HTTP/1.1: send Age:0 header even if it may break IE5
- HTTP/1.1: dechunk incoming requests and chunk outgoing requests
- HTTP/1.1: entry is stale if request has max-age=0
- HTTP/1.1: harden quoted-string parser
- Add --enable-build-info for extra "squid -v" display
- Add --with-swapdir=PATH to override default /var/cache/squid
- Add cpu_affinity_map directive to bind workers to CPU cores
- Add Netfilter MARK support for QoS
- Add upgrade process for obsolete options
- Add support for RFC 2965 Set-Cookie2 / Cookie2 headers
- Add support for client send bandwidth limits (a.k.a., quota or delay pool)
- Fixes Eui48 support on OpenBSD
- Fixes cache manager support with SMP configs
- ... several documentation updates
- ... all bug and feature fixes included in 3.1.9 release.
- ... many more code polishes and leak removals
Changes to squid-3.2.0.2 (04 Sep 2010):
- Bug 3015: assertion failed: comm.cc:143: "ccb->active()"
- Support rotating logs from cachemgr and squidclient
- Support Kerberos authentication in squidclient
- Add manual page for negotiate_kerberos_auth
- Add helper ext_kerberos_ldap_group_acl to lookup Kerberos/NTLM group via LDAP
- Add tool 'purge' for management of UFS/AUFS/DiskD caches (experimental)
- Added log options %http::<bs and %icap::<bs
- Collapse HTCP cache_peer options into one setting
- Improved request smuggling attack detection. Tolerating valid benign HTTP
- ... and several HTTP/1.1 compliance improvements
- ... and all improvements in 3.1.7 and 3.1.8
Changes to squid-3.2.0.1 (03 Aug 2010):
- Port from 2.7: Logging infrastructure updates
- Port from 2.7: Unique sequence number per log line
- Port from 2.6: STORE_META_OBJSIZE swapout storage type
- Bug 2792: tcp_outgoing_addr does not work with TPROXY
- Bug 2631: refresh_pattern store-stale option
- Bug 2305: Multiple leaks and assertion crashes in authentication
- Bug 1239: Much needed ACL type random
- Bug 7: (partial): Migrate on-disk objects to cache_mem on hit/refresh and update
- Support full Surrogate/1.0 protocol extensions to HTTP for reverse-proxies
- Support SMP for essential non-caching functionality
- Support logging over TCP
- Support Solaris 10 pthreads (experimental)
- Support Kerberos login to peers
- Support EUI / MAC in more environments
- Support format tags in deny_info URLs
- Support running helpers on-demand instead of all at startup
- Support fully transparent login=PASSTHRU of authentication headers to peers
- Support multi-lingual localised FTP directory listings
- Support TPROXYv4 spoofing of X-Forwarded-For client address
- Support ICAP 206 Partial Content extension
- Append the _ABORTED or _TIMEDOUT suffixes to the action access.log field
- Add ACL support to range_offset_limit
- Add helpers for url_rewrite
- Add helper multiplexer for concurrency emulation with legacy helpers
- Add Perl library which facilitates parsing access logfile entries.
- Add a simple script to summarise traffic use per user
- Add templates for captive portal proxy configuration instructions
- Add logging of the local TCP port used by transactions with HTTP servers
- Update mswin_check_ad_group to version 2.0
- Update squid_kerb_auth helper to version 3.0.2
- Remove double-language error page hack (replaced by locale auto-negotiation)
- Remove TPROXYv2 support (replaced by TPROXYv4)
- Remove no_check.pl NTLM helper (replaced by ntlm_fake_auth)
- Re-work ./configure script for smarter auto-detect and early error checks
- Auto-enable all features by default
- Workaround com_err.h C++ brokenness triggered by OpenSSL includes
- Helpers naming scheme
- Add support for write timeouts
- Modify icap_service_failure_limit option to forget old ICAP errors
- Updated man(8) manuals including several additions and translations
- ... and a great many code cleanups
- ... and a great many testing improvements
- ... and many documentation updates
Changes to squid-3.1.23 (09 Jan 2013):
- Additional fixes for CVE-2012-5643 / SQUID:2012-1
Changes to squid-3.1.22 (03 Dec 2012):
- Bug 3685: Squid hangs in Delay Pools ClassCBucket::update
- Bug 3659: read_timeout problem with HTTPS
- Bug 3654: Fix IPv6 enabled squidclient
- Bug 3189: AIO thread race on pipe() initialization
- cachemgr.cgi: Memory Leaks and DoS Vulnerability
Changes to squid-3.1.21 (23 Sep 2012):
- Bug 3622: peerClearRRStart scheduling multiple events
- Bug 3615: configure check for default max number of FDs is broken
- Bug 3607: --enable-auth documented default action incorrect
- Bug 3593: socket failure: Address family not supported by protocol
- Bug 3584: Detection of setresuid() is broken
- Bug 3568: Consolidate external_acl_type config dumping and add missing %%
- Bug 3564: eCAP not supporting CoAP URI schemes
- Bug 3484: Docs: sslproxy_cert_error example flawed
- Bug 3462: Delay Pools and ICAP
- Bug 3133: better fix: Memory leak handling requests for sites that don't exist
- Bug 2976: ERR_INVALID_URL for transparently captured requests when reconfiguring
- Silence IOS 15.1 unknown capabilities messages.
- Account for Store disk client quota when bandwidth-limiting the server.
- ... and several documentation fixes
- ... and several compile fixes
Changes to squid-3.1.20 (08 Jun 2012):
- Regression Bug 3545: FreeBSD dnsserver segfaults
- Regression Bug 3504: clientside_tos fails to mark traffic
- Bug 3539: CONNECT server connection not closed correctly on errors
- Bug 3502: client timeout uses server-side read_timeout, not request_timeout
- Bug 3466: Adaptation stuck on last single-byte body piece
- Bug 3463: dnsserver fails to compile
- Bug 3439: correct external_acl_type documented default for ipv4/ipv6 option
- Bug 3390: Proxy auth data visible to scripts
- Bug 3263: ssl_crtd: undefined references to squid_curtime
- Bug 3233: Invalid URL accepted with url host is white spaces
- Bug 3133: Memory leak handling requests for sites that don't exist
- Bug 3074: Improper URL handling with empty path (RFC 3986)
- Bug 3013: segmentation fault on shutdown commSetCloseOnExec at comm.cc:1889
- Regression: snmp/udp address directives not resolving hostname
- Better helper-to-Squid buffer size management.
- Support CoAP over HTTP (coap:// and coaps:// URLs)
- Support for 3.2 error template codes
Changes to squid-3.1.19 (06 Feb 2012):
- Regression Bug 3441: part 2: Prevent further cache size corruption of swap.state
- Bug 3473: erase last uses of obsolete auth_user_hash_pointer
- Bug 3470: GCC 4.7
- Bug 3442: assertion failed: external_acl.cc:908: ch->auth_user_request != NULL
- Bug 3441: part 1: Minimize cache size corruption by malformed swap.state
- Bug 3440: compile error in Adaptation
- Bug 3420: Request body consumption races and !theConsumer exception
- Bug 3370: external ACL sometimes skipping
- Bug 3085: Crash when parsing esi:include
- HTTP/1.1: do not add 110 and 111 Warnings to revalidated responses
- Fix SSL library dependency fixes
Changes to squid-3.1.18 (03 Dec 2011):
- Regression: compile error in FTP
Changes to squid-3.1.17 (03 Dec 2011):
- Bug 3432: Crash logging FTP errors
- Bug 3428: Active FTP data channel accepted twice
- Bug 3423: access violation in URL parser
- Bug 3422: Buffer overflow in recv-announce
- Bug 3412: External ACL Uses Invalid Cache Entry
- Bug 3408: Wrong header length leads to EFAULTs when creating UFS swap.log.new
- Bug 3398: persistent server connection closed after PUT/DELETE
- Bug 3299: dnsserver: various undefined references
- Bug 3077: '\' in url query strings cause Digest authentication to fail
- Bug 2910: MemBuf may grow beyond max_capacity
- Bug 2619: Excessive RAM growth due to unlimited adapted body data consumption
- Bug 1243: Build overrides configured AR setting
- Avoid crashes when processing bad X509 common names (CN).
- Support %% in external ACL format
- ... and several other compile error fixes
- ... and several documentation fixes
Changes to squid-3.1.16 (14 Oct 2011):
- Bug 3373: invalid URL in ERR_CACHE_ACCESS_DENIED
- Bug 3368: Unhandled exceptions are not logged (workaround)
- Bug 3326: miss_access incorrect default
- Bug 3320: miss_access description confusing
- Bug 3241: squid_kerb_auth cross compilation fix
- Bug 3237: seq fault in free() from rfc1035RRDestroy
- Bug 3190: Large HTTP POST stuck after early ICAP 400 error response
- db_auth: display available DSN drivers on connect error
- Updated OpenSSL 1.0.0 version checks
- ... and several documentation fixes
Changes to squid-3.1.15 (28 Aug 2011):
- Regression fix: vhost and defaultsite causing vport to be ignored
- Regression Bug 3295: broken escaping in rfc1738_do_escape
- Bug #3232: fails to compile with OpenSSL v1.0.0
- Bug #3222: cache_peer name is not logging on CONNECT
- Bug #3131: fd_table[fd].closing() assert from ConnStateData::noteMoreBodySpaceAvailable()
- Bug #3217: "!fd_table[fd].closing()" from ServerStateData::noteMoreBodySpaceAvailable
- Bug #3213: https sites (CONNECT) not open when using NTLM
- Bug #3114: Memory leak in SSL certificate verify code
- Bug #3107: ncsa_auth DES silently truncates passwords to 8 bytes
- Bug #2662: cf_gen failure when cross compiling
- Bug #2655: passing wrong the username to the url_rewrite_program
- Bug #2495: ignore whitespace prefix on config lines
- Bug #2051: 'default' cache_peer option does not match documentation
- Bug #1842: Optimize order of tests in peerWouldBePinged() and peerHTTPOkay()
- Bug #1791: timestampsSet does not validate Date: if server sends very old date
- Correct parsing of large Gopher indexes
- Enable negative cacheing on unknown or -1 expiry timestamp
- Remove hierarchy_stoplist default value
- Migrate cf_gen tool from C-style to C++
- ... and several documentation and compiler warning fixes
Changes to squid-3.1.14 (04 Jul 2011):
- Regression Bug 3261: Could not create a DNS socket and exit
Changes to squid-3.1.13 (01 Jul 2011):
- Regression Bug 3239: problems with myip/myport upgrade
- Bug 3153: hung ICAP RESPMOD transactions
- Update ssl_crtd to use 'OK' status inline with other helpers
Changes to squid-3.1.12.3 (18 Jun 2011):
- Bug 3236: Port of %oa, %<lp and %<lp and %<la log format options
- Bug 3214: unexpected read from ssl_crtd
- Bug 3153: Prevent ICAP RESPMOD transactions getting stuck with the adapted body
- Fix RADIUS helper resource leak
- Fix segfault parsing digest auth realm
- Fix segfault in parse_eol()
- Fixed bypass of SSL certificate validation errors
- Warn about myip/myport problems on interception proxies
- Polish: display easily grepped config lines on -k parse
- Fix squidclient -V option and allow non-HTTP protocols to be tested
Changes to squid-3.1.12.2 (30 May 2011):
- Bug 3226: Tags from external ACLs do not correctly expire
- Bug 3215: Malformed IPv6 DNS reverse lookup
- Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches
- Bug 3205: SSL-bump starts then hangs
- Bug 3178: gcc-4.6 complains unused variables
- Bug 3122: Unknown record type in WCCPv2 Packet (6)
- Bug 2965 (partial): Compile errors on MinGW
- Fix to only ssl-bump CONNECT requests if they are about to be tunneled
- Fix cache manager display of -i/+i in regex ACL config display
- Fix cache manager display of cache_peer options userhash and sourcehash
- Fix URL re-writer loosing many transaction details
- Fix always-true comparison in ICAP for some 32-bit platforms
- Support for 'slow' group ACLs in ssl_bump access control
- Support OpenSSL 1.0.0 built without SSLv2
- Support GCC 4.6 and binutils-gold
- Add CSS id attribute to BODY tag of generated error pages.
- Display WARNING and ERROR when max_filedescriptors has failed
Changes to squid-3.1.12.1 (19 Apr 2011):
- Port from 3.2: Dynamic SSL Certificate generation
- Bug 3194: selinux may prevent ntlm_smb_lm_auth from using /tmp
- Bug 3185: 3.1.11 fails to compile on OpenBSD 4.8 and 4.9
- Bug 3183: Invalid URL accepted with url host part of only '@'
- Display ERROR in cache.log for invalid configured paths
- Cache Manager: send User-Agent header from cachemgr.cgi
- ... and many portability compile fixes for non-GCC systems.
Changes to squid-3.1.12 (04 Apr 2011):
- Regression fix: Use bigger buffer for server reads.
- Regression fix: Add reply_header_replace directive for ability lost since 2.7
- Bug 3181: /dev/poll fails to build on Solaris with GCC 4.5.0
- Bug 3177: assertion failed: comm.cc:1583: "fd >= 0"
- Bug 3175: IPv6 PTR lookup crashes on raw-IP URLs when IPv6 disabled
- Bug 3173: Assertion bodyPipe!=NULL on SslBump CONNECT response writing failure
- Bug 3164: Total memory info display 32-bit overflows
- Bug 3155: Werror is hard-coded in libTrie build
- Bug 3151: squid_kerb_auth: use autoconf LIBS instead of FLAGS for library linkage
- Bug 2976: invalid URL on intercepted requests during reconfigure (workaround)
- Bug 2720: comment in same line as cache/mem_replacement_policy causes error
- Bug 2621: Provide request headers to RESPMOD when using cache_peer.
- Bug 2330: AuthUser objects are never unlocked
- Prevent CONNECT request relaying to origin servers
- squidclient HTTP/1.1 compliance updates (Pragma and User-Agent headers)
- squidclient: send Cache Manager password using -w
- eCAP: give full Request-URI to adapters
- ... and several debug and error display cleanups
Changes to squid-3.1.11 (08 Feb 2011):
- Bug 3149: not caching eCAP adapted body
- Bug 3144: redirector program blocks while reading STDIN
- Bug 3140: memory leak in error page generation
- Bug 3137: RADIUS auth helper does not send identifier to RADIUS server
- Bug 3115: logging segfaults if access_log is set to a directory
- Bug 2968: Show the Vary: headers information in cachemgr objects report
- Bug 2959: remove SAMBAPREFIX dependency
- Bug 2868: icc doesn't like string literal in assert checks
- HTTP/1.1: Send 307 status on deny_info redirection
- HTTP/1.1: Support POST/PUT with no body
- HTTP/1.1: Allow persistent connections for Mozilla/3.0 User-Agents
- Support RFC 5861 Cache-Control: stale-if-error option
- Add ftp_eprt directive to disable EPRT extensions in FTP
- Fix external_acl_type grace=0 to obey TTL
- Fix IP/FQDN cache accounting to avoid idle caches on busy servers
- Prevent pipeline_prefetch misconfigurations breaking NTLM/Negotiate auth
- ... and some documentation updates and corrections
- ... and some portability and stability fixes
Changes to squid-3.1.10 (22 Dec 2010):
- Bug 3121: memory leak in DigestAuth: AuthUser object is locked twice
- Bug 3113: Consuming too much memory when uploading files
- Bug 3110: 'reply_body_max_size none' does not work with x-forwarded-for
- Bug 3096: Consuming too much memory when delaying traffic
- Bug 3091: Bypassed ICAP errors are not counted as service failures
- Bug 3090: Polish FTP login error handing
- Bug 3068: cache_dir capacity and usage overflows
- Bug 3028: Permit wbinfo_group.pl to authenticate Kerberos users with NT domain
- Bug 427: HTTP Compliance: Support If-Match and If-None-Match requests
- Fix memory leak in adaptation_access
- Fix /dev/poll and poll() selection priority
- Fix PREFIX/var/run creation during install
- Fix cachemgr http_port config report display
- Add upgrade help process for obsolete options
- Accept RFC 2965 Set-Cookie2 / Cookie2 headers as 'known'
- HTTP/1.1: entry is stale if request has max-age=0
- HTTP/1.1: do not forward TRACE with Max-Forwards: 0 after REQMOD
- Toolchain update to support newer auto-tools
- ... and updated error page translations
- ... and updated documentation
- ... and some code optimization/simplification polish
Changes to squid-3.1.9 (25 Oct 2010):
- Bug 3088: dnsserver is segfaulting
- Bug 3084: IPv6 without Host: header in request causes connection to hang
- Bug 3082: Typo in error message
- Bug 3073: tunnelStateFree memory leak of host member
- Bug 3058: errorSend and ICY leak MemBuf object
- Bug 3057: 64-bit Solaris 9 Squid unable to determine peer IP and port
- Bug 3056: comm.cc "!fd_table[fd].closing()" assertion crash when a helper dies
- Bug 3053: cache version 1 LFS support detection broken
- Bug 3051: integer display overflow
- Bug 3040: Lower-case domain entries from hosts and resolv.conf files
- Bug 3036: adaptation_access acls cannot see myportname
- Bug 3023: url_rewrite_program silently fails to rewrite on broken URLs
- Bug 2964: Prevent memory leaks when ICAP transactions fail
- Bug 2808: getRoundRobinParent not handling weights correctly
- Bug 2793: memory statistics sometimes display wrong
- Bug 2356: Port from 2.7: Solaris /dev/poll event ports support
- Bug 2311: crashes with ICAP RESPMOD for HTTP body size greater than 100kb
- Ensure /var/cache or jail equivalent exists on install
- HTTP/1.1: delete Warnings that have warning-date different from Date
- HTTP/1.1: do not remove ETag header from partial responses
- HTTP/1.1: make date parser stricter to better handle malformed Expires
- HTTP/1.1: improve age calculation
- HTTP/1.1: reply with a 504 error if required validation fails
- HTTP/1.1: add appropriate Warnings if serving a stale hit
- HTTP/1.1: support requests with Cache-Control: min-fresh
- HTTP/1.1: do not cache replies to requests with Cache-Control: no-store
- squidclient: Display IP(s) connected to in verbose (-v) display
- Fixes several issues with ICAP persistent connections
- Fixes small leaks in Netdb, DNS, ICAP, ICY, HTTPS
- ... and some cosmetic polishing
Changes to squid-3.1.8 (04 Sep 2010):
- Bug 3033: incorrect information regarding TOS
- Bug 3020: Segmentation fault: nameservers[vc->ns].vc = NULL
- Bug 3005,2972: Locate LTDL headers correctly (again)
- Bug 2872: leaking file descriptors
- Bug 2583: pure virtual method called
- Hardened DNS client against packet queue attacks
- Hardened HTTP request-line parser
- Several HTTP/1.1 support improvements
- Improved cross-compile support
- .. and several internal pointer safety fixes
Changes to squid-3.1.7 (23 Aug 2010):
- Regression Bug 3021: Large DNS reply causes crash
- Regression Bug 3011: ICAP, HTTPS, cache_peer probe IPv4-only port fixes
- Regression Bug 2997: visible_hostname directive no longer matches docs
- Bug 3012: deprecate sslBump and support ssl-bump spelling in http_port
- Bug 3006: handle IPV6_V6ONLY definition missing
- Bug 3004: Solaris 9 SunStudio 12 build failure
- Bug 3003: inconsistent concepts in documentation of cache_dir
- Bug 3001: dnsserver link issues
- HTTP/1.1: default keep-alive for 1.1 clients (bug 3016)
- HTTP/1.1: Improved Range header field validation
- HTTP/1.1: Forward multiple unknown Cache-Control directives
- HTTP/1.1: Stop sending Proxy-Connection header
- Fix 32-bit wrap in refresh_pattern min/max values
- ... and several documentation corrections.
Changes to squid-3.1.6 (02 Aug 2010):
- Bug 2994, 2995: IPv4-only regressions
- Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec()
- Bug 2975: chunked requests not supported after regular ones
- Fix: 32-bit overflow in reported bytes received from next hop
- Fix Libtool build regressions
- Limited split-stack IPv6 support.
- squid_db_auth support MD5 encrypted passwords
Changes to squid-3.1.5.1 (28 Jul 2010):
- Update Libtool to 2.2.
- Bug 2985: search scope for digest_ldap_auth didn't work
- Bug 2972: LTDL 2.2.6b compile errors
- Bug 2963: Stop ignoring --with-valgrind-debug failures
- Bug 2885: AIX support: several fixes
- Bug 2651: crash handling NULL write callback
- Fixed several memory leaks related to Range requests
- Fixed Joomla DB auth handling
- Fixed SASL helper build checks
- Fixed several IPv6 portability problems
- Updated error page translations
Changes to squid-3.1.5 (02 Jul 2010):
- Bug 2967: raw-IPv6 address URL with append_domain broken
- Bug 2950: HTTP responses with no Date, L-M or Expires can now be cached
- Bug 2943: ICAP tokens not logged when using multiple access
- Bug 2937: Fails to detect chunked encoding if not given in all lower case
- Bug 2903: does not send indirect X-Client-Ip in ICAP respmod
- Fix free memory corruption and off-by-one error when comparing SNMP OIDs
- Port from 2.7: max_filedescriptor config option
- Fix persistent_connection_after_error is meant to be on by default
- ... and several build errors.
Changes to squid-3.1.4 (30 May 2010):
- Bug 2933: Verification of the max. port number for WCCP2 dynamic service
- Bug 2924: RADIUS helper compile issues
- Bug 2922: Fix assertion failed: HttpHeader.cc: "Headers[id].stat.aliveCount"
- Bug 2919: tcp_outgoing_address ACLs not obeying acl_uses_indirect_client
- Bug 2896: Fix assertion failed: comm.cc:2063: "!fd_table[fd].closing()"
- Bug 2879: pt2: 3.0 regression in headers end finding
- Bug 2877: pt2: only output zero-size warning on reverse-proxy requests
- Bug 2876: FD_SETSIZE override not working on all linux distributions
- Bug 2810: common log format generates 2 lines of syslog
- Bug 2789: Optimize unlimited memory pools, and correctly handle limits over 2GB
- Bug 2753: Fall back on IPv4 if IPv6 is not present
- Bug 2697: Adaptation leaks and extra requests after reconfiguration
- Bug 2633: Fix Ecap::HeaderRep::value(name) fails when there is no named header field
- Change LDAP helpers to default to LDAP version 3 if available
- Add Joomla and Salted Hash support to squid_db_auth helper
- Fixed IpAddress port printing for ports higher than 9999
- Disable chunked memory pooling by default.
- ... and several build errors.
Changes to squid-3.1.3 (02 May 2010):
- Remove: Advertise 1.1 on replies to clients (broken chunked handling)
- Fix tag ACL type not working
Changes to squid-3.1.2 (01 May 2010):
- Bug 2913: Fix DB auth warning in new perl version
- Bug 2904: Prevent automake creating incomplete files
- Bug 2899: Regression: Restore lost rfc1738_unescape() data type
- Bug 2895: Regression: TPROXY2 compile errors
- Bug 2879: Regression: headers end-finding
- Bug 2874: Accept literal IPv6 address in icap_service URL
- Bug 2860: Regression: WCCPv1 handshake
- Bug 2848: Pass TCP_RST to client on early disconnect
- Debian Bug 578047: Correct behaviour of --enable-ipv6
- HTTP/1.1: Advertise 1.1 on requests to servers
- HTTP/1.1: Advertise 1.1 on replies to clients
- AIX / UNIX build fixes
- Cygwin build fixes
- squidclient: -k option to test connection keep-alive or close
- Improved helper build for wider compatibility
- Ensure the PID file directory exists on install
Changes to squid-3.1.1 (29 Mar 2010):
- Bug 2873: undefined symbol
- Bug 2827: assertion in authentication
- Remove ufsdump binary from default builds
- Remove pinger from default startups
- ... and several documentation updates.
Changes to squid-3.1.0.18 (14 Mar 2010):
- Regression Fix: IPv4-mapped prefix, broken in 3.1.0.16
- Bug 2869: Remove unused external reference
- Bug 2866: Support OpenSSL 1.0
- Bug 2813: Random unix_group crash at startup
- Send HTTP1.1 compliant 417 responses
- Associate external acl message with the request
- Various Digest parser fixes
- ... and all bug fixes from 3.0 up to 3.0.STABLE25
Changes to squid-3.1.0.17 (24 Feb 2010):
- Regression Fix: Non-English error page UTF encoding
- Bug 2616: reduce IdleConnList::removeFD messages
- Bug 1843: multicast-siblings cache_peer option
- Port from 2.7: X509 certificate alias-domain handling
- Add adapted_http_access option
- NTLMv2 support for fake NTLM helper
Changes to squid-3.1.0.16 (01 Feb 2010):
- Regression Fix: Make Squid abort on all config parse failures.
- Regression Bug 2811: SNMP client/peer table OID numbering
- Bug 2851: Connection pinning fails when using a peer
- Bug 2850: Mismatch in hier_code enum / hier_strings array
- Bug 2731: Add follow_x_forwarded_for support to ICAP
- Bug 2730: Regressions in follow_x_forwarded_for since Squid-2
- Bug 2706: Set timestamps during ICAP request satisfaction.
- Bug 2553: X-Forwarded-For with IPv6 address not handled correctly
- Fix: WCCPv1 not connecting to router correctly
- Remove obsolete RunCache/RunAccel scripts.
- Add client_ip_max_connections
- Add the http::>ha format code and make http::>h log original request headers
- ... and all bug fixes from 3.0 up to 3.0.STABLE22
- ... and many more minor build and display annoyances.
Changes to squid-3.1.0.15 (23 Nov 2009):
- Regression Fix: myip ACL not accepted in config
- Bug 2795: acl arp lookups including port
- Bug 2794: ESI parsing fails on FreeBSD
- Bug 2778: fix linking issues using SunCC
- Bug 2724: eCAP build failure unless ICAP enabled
- Bug 2628: Correct default PID location to PREFIX/var/run/squid.pid
- Bug 2617: Performance degradation during processing list of dstdomain ACL's
- Bug 2374: Support ICY / ICEcast / SHOUTcast streaming protocol.
- Fix: 64-bit filesize issue in squidclient POST of large files
- Fix: send correct Connection: header on intercepted replies
- Support libtool 2.x
- ESI libraries libexpat and libxml2 now optional
- ESI support default enabled
- Bump libcap minimum requirement to libcap 2.09+
- ARP / MAC support fixes for IPv6-mode
- Add outstanding IPv6 settings to squid.conf (localnet, localhost)
- ... and many additions to the background testing structure
- ... and very many minor build and code cleanups for non-GCC compilers.
Changes to squid-3.1.0.14 (27 Sep 2009):
- Bug 2777: Various build issues on OpenSolaris
- Bug 2773: Segfault in RFC2069 Digest authentication
- Bug 2747: Compile errors on Solaris 10
- Bug 2735: Incomplete -fhuge-objects detection
- Bug 2722: Fix http_port accel combined with CONNECT
- Bug 2718: FTP sends EPSV2 on IPv4 connection
- Bug 2648: stateful helpers stuck in reserved
- Bug 2570: wccp2 "Here I Am" announcements not sent in memory-ony mode
- Bug 2510: digest_ldap_auth uses incorrect logic with TLS
- Bug 2483: bind() called before connect()
- Bug 2215: config file line length limit (extended to 2 KB)
- Support Accept-Language: * wildcard
- Support autoconf 2.64
- Support TPROXY for IPv6 traffic (requires kernel support)
- Support TPROXY cache cluster behind WCCPv2
- Correct ESI support to work in multi-mode Squid
- Add 0.0.0.0 as an to_localhost address
- DiskIO detection fixes and use optimal IO in default build.
- Correct peer connect-fail-limit default of 10
- Prevent squidclient sending two Accept: headers
- ... all bug fixes from 3.0.STABLE19
- ... and many more documentation fixes
Changes to squid-3.1.0.13 (04 Aug 2009):
- Bug 2723 regression: enable PURGE requests if PURGE method ACL is present.
- Fix one more internal profiler error
- Language Updates: Italian, Russian
- Language Updates: Add many more aliases
- Add Copyright document for errors/ content
- ... all bug fixes from 3.0.STABLE18
- ... and several code polishing cleanups
Changes to squid-3.1.0.12 (27 Jul 2009):
- Bug 2716: Chunked request Signed/Unsigned build error
- Bug 2674: Remove limit on HTTP headers read.
- Bug 2620: Invalid HTTP response codes causes segfault
- Fix FTP EPSV negotiation parser.
- Fix Via string when leak checking is enabled (valgrind etc)
- ... and several documentation and testing additions
Changes to squid-3.1.0.11 (19 Jul 2009):
- Bug 2087: Support adaptation sets and chains
- Bug 2459: dns error message broken when error handling delayed
- Support ICAP Retry
- Support ICAP retries based on the ICAP responses status code
- Support logging ICAP
- Support logging total DNS wait time
- Support logging response times of adaptation transactions
- General logging enhancements
- Dynamically form chains based on ICAP X-Next-Services header
- Support cross-transactional ICAP header exchange
- ... and much adaptation polish and improvements
Changes to squid-3.1.0.10 (18 Jul 2009):
- Bug 2680: Regression Crash after rotate with no helpers running
- Bug 2695: Regression in WCCPv2 L2 mask assignment
- Bug 2707: Regression in FTP anonymous auth
- Bug 422, 2706: RFC 2616 Date header requirements
- Bug 1087: ESI processor not quoting attributes correctly.
- Bug 1338: File prefetches aborted despite range_offset
- Bug 2080: wbinfo_group.pl - false positive under certain conditions
- Bug 2092: select loop 32-bit call counter overflows
- Bug 2127: delay pools class 4 crashes with ntlm auth
- Bug 2611: document fast/slow acl types
- Bug 2614: Potential loss of adapted body data from eCAP adapters
- Bug 2658: Missing TextException copy constructor
- Bug 2659: String length overflows on append, leading to segfaults
- Bug 2699: Build failure NTLM smb_lm helper
- Bug 2709: TRANSLATIONS not installed
- Bug 2710: squid_kerb_auth non-terminated string
- Delay pools 64-bit buckets and IPv6-polish
- Break forwarding loops for "transparent" or "intercept" http_ports.
- Add --disable-translation option to detatch .po from error negotiation
- Add squidclient man(1) page
- Add localhost to default permitted networks
- http_port allow-direct option to allow direct forwarding in accelerator mode
- ... and many testing infrastructure updates
Changes to squid-3.1.0.9 (26 Jun 2009):
- Bug 2682: Add ftp_epsv control to disable EPSV support.
- Bug 2665: Detach automake system from using -I.
- Bug 2395: FTP auth errors not displayed
- ... also several changes and bugs closed in 3.0.STABLE16
- Port from 2.7: Show local address on listening sockets
- Add "tag" type acl matching tags set by external acl helpers.
- Adds Language alias linker/installer/upgrade scripts
- Support for GCC 4.4
- Fix false NAT lookup errors on Linux
- Fix many Windows port issues
- Fix squid_kerb_auth helepr install location
- Better detection of IPv6 stack types
- Updates Licensing information for Squid 3.1
- ... and many packaging portability build and install issues
Changes to squid-3.1.0.8 (24 May 2009):
- Bug 2656: Pinger dies with general protection fault
- Bug 2650: configure requires epoll_ctl in libepoll when --enable-epoll used
- Bug 2648: Authentificator processes deferring and don't shutdown.
- Bug 2645: allow squid to ignore must-revalidate
- Bug 2644: auth scheme initialization is broken
- Bug 2632: Make number of reforwarding tries configurable
- Bug 2628: --with-pidfile=PATH option to override DEFAULT_PID_FILE
- Bug 2627: HTCP Logging
- Bug 2615: Call libecap::adapter::Service::start() when finalizing config.
- Bug 2589: SNMP returning no data - wrong oid decoded
- Bug 2571: Squid with IPv6 fails to start on kernel without IPv6
- Bug 2559: Problem parsing /0 and /0.0.0.0
- Bug 2404: WCCP in mask mode is broken
- ... also all bugs closed by 3.0.STABLE14, 3.0.STABLE15, 3.0.STABLE16-RC1
- Complete Interception multiple NAT support
- Add Content-Disposition to the known headers list.
- Make PEER_TCP_MAGIC_COUNT configurable
- Fix pinger install location
- Enable TPROXY v4 spoofing of CONNECT requests
- ... and much documentation and code polishing
Changes to squid-3.1.0.7 (08 Apr 2009):
- Fix: several issues with ident
- Add several language translations
- Upgrade code testing infrastructure
- Migrate much code to build as internal libraries
- Support gcc 4.4
- Support doxygen 1.5.8
- ... and much code polish to make things read easier
Changes to squid-3.1.0.6 (01 Mar 2009):
- Regression Fix: Support HTTP/0.9 in accelerator mode
- Bug 2601: Hack. Convert IPv4 netmasks to CIDR in IPv6-enabled mode
- Bug 2593: Compile errors on Solaris 10
- Bug 2591: adaptation_access does not work
- Bug 2588: coredump in rDNS lookup
- Bug 2526: default ALLOW when no list specified.
- Bug 2287: Send a 505 on requests with unsupported HTTP versions
- Bug 419: Hop by Hop headers MUST NOT be forwarded
- Fix external_acl_type handling of SSL certificate details
- Obsolete: dependency on nss_common.h and nss.h
- Support libtool2
- ... and various documentation and code polish
Changes to squid-3.1.0.5 (03 Feb 2009):
- Bug 2583: Fixed issue in content adaptation
- Bug 2576: Make translate target obey --disable-auto-locale
- Bug 2571: Add DNS failover to use IPv4-only listen when IPv6 fails.
- Bug 2563: 99+% CPU Usage on FTP URL
- Bug 2505, 2524, 2558: fixed several issues on connection handling
- Fix several issues in request parsing
- Fix memory leak from logformat parsing
- Fix various ESI build errors
- Make configure tests use C++ instead of C
- Drop special localhost conversion RFC violation.
- Add Language: Arabic
- ... and various documentation and code polish
Changes to squid-3.1.0.4 (23 Jan 2009):
- Regression Fix: Bug 2558: rollback bug 2395 fix.
- Bug 2555: Fixes to SNMP-MIB
- Bug 2550: assertion comm.cc:350 !fd_table[fd].closing()
- Bug 2547,2548: OSX compile errors (duplicate symbols and IPv6)
- Bug 2508: comm.cc:2035 assertion fd_table[fd].closing()
- Bug 2330: allow keep-alive+chunked; don't add max-age for no-cache
- Polish ZPH configuration interface
- Several Language Conversions to new auto-negotiate
- Port from 2.7: squidclient -V and -j options for HTTP/1.1 and 0.9 testing
- Fix: Pconn not being used when they should.
- Fix: Fix pinger immediate shutdowns
- Fix: Untangle CacheManager reports from log_fqdn
- ... and all bugs fixed for 3.0.STABLE12
- ... and many code polish and optimization fixes.
Changes to squid-3.1.0.3 (5 Dec 2008):
- Regression Fix: StoreIOBuffer patch removed.
- Regression Fix: build issues with 3.1.0.2 bundle
- Security Bug 2526: default ALLOW when no list specified
- Bug 2525: encoding error on error pages
- Bug 2424: slow file descriptor leak
- Bug 2527: ICAP compile error on g++ 4.3.2
- Bug 2523: bad assertion left in from debug
- Bug 2395: FTP Auth errors and others not displayed
- Update squid_kerb_auth to 1.0.5
with better Squid integration.
- Fix cache_peer forcedomainname= option
- ... and many other minor fixes
Changes to squid-3.1.0.2 (9 Nov 2008):
- Bug 2516: error page templates not properly installed
- Bug 2500: Solaris build issues
- Fixes FreeBSD build issues
- Release Notes completed
- Languages: new Russian, Japanese, Chinese, and general updates
- ... and other minor fixes
Changes to squid-3.1.0.1 (27 Oct 2008):
- Bundled ntlm_auth helper renamed (see Release Notes before changing anything)
- peername ACL added for matching against a named peer destination
- configure option --with-logdir= added to select log files location
- squid_kerb_auth helper updated to 1.0.3 release
- Bug #740: allow external acl's to use reply headers in format
- Bug #2379: obsolete dns_testnames option
- Code test infrastructure expanded to configuration testing
- Policy changes to negative_ttl, cache deny QUERY, refresh_pattern
to bring their defaults up to RFC 2616 requirements.
- Large increase in RFC 2616 standard compliance (ongoing)
- squid.conf cleanups for minimal config
- Connection Pinning ported from 2.6 for NTLM passthru authentication
- eCAP internal adaptation module support
- Localization and CSS display control of error pages
- Added semi-automatic documentation of source code
- Added TE chunked encoding decoder to workaround broken HTTP/1.1 servers
- HTCP improvements ported from 2.7 adding HTCP CLR requests
- IPv6 (Internet Protocol version 6) support
- ICMPv6 (Internet Control Message Protocol version 6) support
- FTP agent now supports EPSV/EPRT commands
- DNS internal resolver now supports AAAA and CNAME records
- SNMP peer and client tables now support IPv6
- SNMP peer table supports named peers with multiple entries per IP
- SslBump: Squid-in-the-middle decryption and encryption of straight
CONNECT and transparently redirected SSL traffic, using configurable
client- and server-side certificates. While decrypted, the traffic
can be inspected using ICAP.
- TPROXY version 4.1 support
- IPFW and Netfilter interception methods may now both be built in one binary.
- ZPH Quality of Service patch now integrated
- Null store now fully obsoleted and removed
- Unknown request methods all supported
- Follow_x_forwarder_for ported from 2.6
- Bug #2223: Follow XFF extensions added
- ... and many code and documentation cleanups
Changes to squid-3.0.STABLE26 (28 Aug 2011):
- Regression: header_replace for reply headers
- Bug 3183: Invalid URL accepted with url host part of only '@'.
- Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes
- Bug 3056: comm.cc "!fd_table[fd].closing()" assertion from helperServerFree
- Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec()
- Bug 2933: Verification of the max. port number for WCCP2 dynamic service
- Bug 2922: Fix assertion failed: HttpHeader.cc: "Headers[id].stat.aliveCount"
- Regression Bug 2899: Restore lost rfc1738_unescape() data type
- Regression Bug 2879: headers end finding
- Bug 2876: FD_SETSIZE override not working on all linux distributions
- Check for NULL and empty strings before calling str*cmp().
- Correct parsing of large Gopher indexes
Changes to squid-3.0.STABLE25 (14 Mar 2010):
- Bug 2845: Rework the http digest auth parser
- Bug 2787: unknown/unexpected status code messages
- Bug 2507: squid_ldap_group: Strip Domain name separated by +
- Bug 2367: stale=true on digest requests with unknown nonce
- ... and several other minor corrections
Changes to squid-3.0.STABLE24 (13 Feb 2010):
- Bug 2858: Segment violation in HTCP
- Updated refresh pattern for dynamic pages
Changes to squid-3.0.STABLE23 (02 Feb 2010):
- Bug 2856: removing assert() required for 3.0 patch for SQUID-2010:1
- Regression Fix: Build error in Kerberos helper after library removal.
Changes to squid-3.0.STABLE22 (01 Feb 2010):
- Regression Fix: Make Squid abort on all config parse failures.
- Bug 2787: Reduce unexpected http status to non-critical warnings.
- Bug 2496: Downloading some variants in full before relaying
- Bug 2452: Add upper limit to external_acl_type entries.
- Removed optional kerberos/spnegohelp/ library due to licensing issues
- Add client_ip_max_connections
- Handle DNS header-only packets as invalid.
Changes to squid-3.0.STABLE21 (22 Dec 2009):
- Bug 2830: Clarify where NULL byte is in headers.
- Bug 2778: Linking issues using SunCC
- Bug 2395: FTP errors not displayed
- Bug 2155: Assertion failures on malformed Content-Range response headers
- Fix parsing and a few bugs in ACL time type
- Fix RFC keep-alive compliance on intercepted replies
- Improved security hardening on %nn parser
- Replace several GCC-specific code snippets.
Changes to squid-3.0.STABLE20 (29 Oct 2009):
- Bug 2794: ESI parsing on FreeBSD
- Bug 2791: assertion failed: MemBuf.cc:400: new_cap > (size_t) capacity
- Bug 2779: Support GNU/kFreeBSD
- Bug 2773: Segfault in RFC2069 Digest authantication
- Bug 2768: squid_ldap_group argument parsing error
- Bug 2761: Gopher and double HTTP response header
- Bug 2735: Incomplete -fhuge-objects detection
- Bug 2722: prevent CONNECT via http_port with accel
- Bug 2624: Invalid response for IMS request
- Bug 2510: digest_ldap_auth TLS support
- Correct LINUX_CAPABILITY actions on non-Linux
Changes to squid-3.0.STABLE19 (06 Sep 2009):
- Bug 2745: Invalid Response error on small reads
- Bug 2739: DNS resolver option ndots can't be parsed from resolv.conf
- Bug 2734: some compile errors on Solaris
- Bug 2648: stateful helpers stuck in reserved if client disconnects while helper busy
- Bug 2541: Hang in 100% CPU loop while extacting header details using a delimiter other than comma
- Bug 2362: Remove support for deferred state in stateful helpers
- Add 0.0.0.0 as a to_localhost address
- Docs: Improve chroot directive documentation slightly
- Fixup libxml2 include magics, was failing when a configure cache was used
- ... and some minor testing improvements.
Changes to squid-3.0.STABLE18 (04 Aug 2009):
- Bug 2728: regression: assertion failed: !eof
- Bug 2732: reply_body_max_size smaller than error page loops
infinitely until out of memory
- Bug 2725: pconn failure if domain or client_address are unset
- Bug 2648: reserved helpers not shut down after reconfigure/rotate
- Bug 2462: make check should tell when cppunit is missing
- Remove excess messages about headers < minimum size
- Support Libtool 2.2.6
Changes to squid-3.0.STABLE17 (27 Jul 2009):
- Bug 2680 regression: Crash after rotate with no helpers running
- Bug 2710: squid_kerb_auth non-terminated string
- Bug 2679: strsep and strtoll detection failure
- Bug 2674: Remove limit on HTTP headers read.
- Bug 2659: String length overflows on append, leading to segfaults
- Bug 2620: Invalid HTTP response codes causes segfault
- Bug 2080: wbinfo_group.pl - false positive under certain conditions
- Bug 1087: ESI processor not quoting attributes correctly.
- Fix: issue with AUFS/UFS/DiskD writing objects to disk cache
- Several small build issues with previous release.
Changes to squid-3.0.STABLE16 (15 Jun 2009):
- Bug 2672: cacheMemMaxSize 32-bit overflow during snmpwalk
- Bug 2481: Don't set expires: now in generated error responses
- Bug 2387: The calculation of the number of hash buckets correctly
- Fix infinite loop in MSNT auth helper
- Fix FD_SETSIZE on FreeBSD
- Fix stripping NT domain in squid_ldap_group
- Fix RADIUS auth helper build
- Add Translate: and Unless-Modified-Since: headers to known list
- Make fakeauth handle NTLMv2 better
- Better Kerberos support detection
- Several Widows port fixes
Changes to squid-3.0.STABLE16-RC1 (16 May 2009):
- Bug 1148: Ported from 3.1: Chunked Transfer Encoding
- Bug 2648: NTLM helpers not shutting down when deferred
Changes to squid-3.0.STABLE15 (06 May 2009):
- Regression Bug 2635: Incorrect Max-Forwards header type
- Bug 2652: 'Success' error on CONNECT requests
- Bug 2625: IDENT receiving errors
- Bug 2610: ipfilter support detection
- Bug 2578: FTP download resume failure
- Bug 2536: %H on HTTPS error pages
- Bug 2491: assertion "age >= 0"
- Bug 2276: too many NTLM helpers running
- Endian system and compiler fixes provided by the NetBSD project
- documentation fixes provided by the Debian project
Changes to squid-3.0.STABLE14 (11 Apr 2009):
- Regression Fix: HTTP/0.9 in accelerator mode
- Bug 1232: cache_dir parameter limited to only 63 entries
- Bug 1868: support HTTP 207 status
- Bug 2518: assertion failure on restart/reconfigure
- Bug 2588: coredump in rDNS lookup
- Bug 2595: Out of bounds memory write in squid_kerb_auth
- Bug 2599: Idempotent start
- Bug 2605: Prevent setsid() on helpers in daemon mode
- Fix external_acl_type option parsing
- Fix delay pools counters on FTP
- Fix several issues with ident (some remain)
- Fix performance issues with persistent connections
- Fix performance issues with delay pools
- Fix forwarding of OPTIONS requests
- Add support for HTTP 1.1 Content-Disposition header
- Add support for Windows 7, Windows Server 2008 R2 and later
- ... and many small documentation updates
Changes to squid-3.0.STABLE13 (03 Feb 2009):
- Fix several issues in request parsing
- Fix memory leak from logformat parsing
- Fix various ESI build errors
- ... and some documentation updates
Changes to squid-3.0.STABLE12 (21 Jan 2009):
- Bug 2533: Solaris (sparc) 64-bit build breaks with gcc/g++
- Bug 2542: ICAP filters break download resume
- Bug 2556: HTCP fails without icp_port
- Bug 2564: logformat '%tl' field not working as advertised
- Port from 3.1: TestBed basic build consistency checks
- Policy: Change half_closed_clients default to off
- Policy: Removed -V command line option, deprecated by 2.6
- ... and several other minor code cleanups
Changes to squid-3.0.STABLE11 (24 Dec 2008):
- Bug 2424: filedescriptors being left unnecessary opened
- Bug 2545: fault passing ICAP filtered traffic to peers
- Bug 2227: Sefgaults in MemBuf::reset during idnsSendQuery
- ... and some minor admin and debug cleanups.
Changes to squid-3.0.STABLE11-RC1 (3 Dec 2008):
- Removes patch causing cache of bad objects
- Bug 2526: bad security default in ACLChecklist
- Fixes regression: access.log request size tag
- Fixes cache_peer forceddomainname=X option
- ... and many minor documentation cleanups
Changes to squid-3.0.STABLE10 (14 Oct 2008):
- Bug 2391: Regression: bad assert in forwarding
- Bug 2447: Segfault on failed TCP DNS query
- Bug 2393: DNS requests getting stuck in idns queue
- Bug 2433: FTP PUT gives bad gateway
- Bug 2465: Limited DragonflyBSD support
- ... and other minor bugs and documentation
Changes to squid-3.0.STABLE9 (9 Sep 2008):
- Policy Enforcement: COSS is unusable in 3.0
- Port from 3.1: Language Pack compatibility
- Port from 2.6: Windows Support Notes
- Fix several minor regressions:
HTCP stats reporting
cachemgr delay pool config
CARP build error
- Bug 2340: uudecode dependency for icons removed
- Bug 2352: no_check.pl ntlm challenge fix
- Bug 2426: buffer increase for kerberos auth fields
- Bug 2427: squid_ldap_group codes fix
- Bug 2437: peer name now shown in access.log
- Add sane display of unsupported method errors
- ... and various other code cleanups
Changes to squid-3.0.STABLE8 (18 Jul 2008):
- Port from 2.6: Support for cachemgr sub-actions
- Port from 2.6: userhash peer selection method
- Port from 2.6: sourcehash peer selection method
- Bug 2376: round-robin balancing fixes
- Bug 2388: acl documentation cleanup
- Bug 2365: cachemgr.cgi HTML output encoding
- Bug 2301: Regression: Log format size options
- Bug 2396: Correct the opening of PF device file.
- Bug 2400: ICAP accept mechanism
- Bug 2411: Regression: fakeauth_auth crashes
- Many fixes to the Windows support (not complete yet).
- Boost error pages HTML standards.
- Fixes several issues on 64-bit systems
- Fixes several issues on older or stricter compilers
- Linux-2.6.24/2.6.25 netfilter_ipv4.h __u32 workaround
- Update Release Notes: 'all' ACL is built-in since 3.0.STABLE1
Changes to squid-3.0.STABLE7 (22 Jun 2008):
- Fix several ASN issues
- Fix SNMP reporting of counters
- Fix round-robin algorithms
- GCC 4.3 support
- Netfilter v1.4.0 bug workaround
- Bugs 2350 and 2323: memory issues
- Bugs 2384, 951, 1566: ESI assertions
- Various minor debug and documentation cleanups
Changes to squid-3.0.STABLE6 (20 May 2008):
- Bug 2254: umask Feature from 2.6 added
- cachemgr.cgi default config file added
- Several authentication bug fixes
- Improved Windows Support
- better DNS lookup methods for unqualified hostames
- better support for 64-bit environments
- Bug 2332: Crash when tunnelling
- Removed the advertisement clause from BSD licenses
according to the GPLv2+ changes in BSD
- ... and other bugs and minor cleanups
Changes to squid-3.0.STABLE5 (28 Apr 2008):
- Support for resolv.conf 'domain' option
- Improved URI support, including
longer URI up to 8192 bytes accepted
better handling of intercepted URI
better port for non-FQDN URI lookups
- Improved logging, including
Bug 3210 fixed: incorrect timestamp format in earlier 3.0 releases.
Fixed 'log_ip_on_direct' option behaviour
- Support for profiling on x86 64-bit systems
- .. and other bugs and minor code cleanups.
Changes to squid-3.0.STABLE4 (2 Apr 2008):
- Bug 2288: compile error slipped into STABLE3.
Changes to squid-3.0.STABLE3 (31 Mar 2008):
- Improved HTTP 1.1 support.
- Improved MacOSX (Leopard) support
- Bug 2206: Proxy-Authentication regression in STABLE2.
- Strip Domain from NTLM usernames for use in class 4 Delay Pools
- ... and other bugs and minor code cleanup
Changes to squid-3.0.STABLE2 (1 Mar 2008):
- Add myportname ACL for matching the accepting port name (see release notes)
- Add include directive for squid.conf (see release notes)
- Add ability to strip kerberos realm from usernames during Auth
- License cleanup to comply with GPLv2 or later
- Updated Error Pages and Translations
- Updated configuration examples
- Updated valgrind support for valgrind-3.3.0
- Improved support for Windows and MacOS X Leopard
- Improved support for files larger than 2GB
- Improved support for CARP arrays and WCCPv2
- Improved cachmgr, SNMP, and log reporting
- ... and as usual Many bug fixes since STABLE 1
Changes to squid-3.0.STABLE1 (13 Dec 2007):
- Major rewrite translating the code to C++, originally based on
Squid-2.5.STABLE1
- Internal client streams concept for content adaptation
- ICAP (Internet Content Adaptation Protocol) client support
- ESI (Edge Side Includes) support added
- Improved support for files larger than 2GB.
- And a lot more. Most features from Squid-2.6 is supported, but not
all. See the release notes for details.
Squid-2 ChangeLog of versions fully ported to Squid-3 follows.
Changes to squid-2.6.STABLE22 (19 October 2008)
- Bug #2396: Correct the opening of the PF device file.
- Make --with-large-files and --with-build-envirnment=default play
nice together
- Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include header
__u32 problem
- Make dns_nameserver work when using --disable-internal-dns on glibc
based systems
- Bug #2426: Increase negotiate auth token buffer size
- Bug #2427: squid_ldap_group -h reports the old % codes for -f
- Bug #2477: swap.state permission issues if crashing during "squid -k
reconfigure"
- Windows port: Fix build error using latest MinGW runtime.
Older ChangeLog follows. The sections relating to Squid-2.6 is not entirely
authorative for this release and mirrored here for reference only.
- CARP now plays well with the other peering algorithms,
and support for CARP peerings is compiled by default. Can be
disabled by --disable-carp
- Configuration file can be read from an external program
or preprocessor. See squid.8 man page.
- http_port is now optional, allowing for SSL only operation
- Satellite and other high latency peering relations enhancements
(Robert Cohren)
- Nuked num32 types, and made type detection more robust by the
use of typedefs rather than #defines.
- the mailto links on Squid's ERR pages now contain data about the
occurred error by default, so that the email will contain this data in
its body. This feature can be disabled via the email_err_data directive.
(Clemens L?ser)
- COSS now uses a file called stripe and the path in squid.conf is the
directory this is placed in. Additionally squid -z will create the
COSS swapfile.
- WCCPv2 support, including mask assignment support
- HTCP support for access control and the CRL operation for
purgeing of cache content
- ICAP related fixes
- Windows-related fixes, including Vista and Longhorn identification
- Client-side parsing and some string use optimisations
- Lots of off-by-one and memory leaks in corner cases have been fixed
thanks to valgrind
- Improved high-resolution profiling
- Windows overlapped-IO and thread support added to the Async IO disk code
- Improvements for handling large DNS replies
Changes to squid-2.6.STABLE15 (31 Aug 2007)
- The select() I/O loop got broken by the /dev/poll addition
(2.6.STABLE14)
- Bug #2017: Fails to work around broken servers sending just the HTTP
headers
- Bug #2023: Compile error with old GCC 2.x or other ANSI-C compilers
before C99
- squid.conf.default updated and reorganised in more sensible groups
- correct and document the syslog access_log format
- Armenian error pages translation
- digest_ldap_helper usage help updated
- Bug #1560: ftpSendPasv: getsockname(-1,..): (9) Bad file descriptor
- Improve delay pools in low traffic environment by checking timeouts
at a steady 1 second interval even when there is not much activity
- Don't request authentication on transparently intercepted
connections
- Cleanup linux capabilities for tproxy
- Bug #2003: 'via' config directive doesn't affect response headers
- Bug #1902: Adds Numeric Hit and invalid request counters to IP Cache
- Add missing $|=1 to squid_db_auth
- Bug #2050: Persistent connection dropped if cache has no
Content-Length
- Verify the URL on memory cache hits
- Bug #2057: NTLM stop work in messengers after upgrade to 2.6.STABLE14
- Bug #1972: Squid sets peers to down state when they are in fact
working.
- potential segmentation fault in storeLocateVary()
- Bug #2066: chdir after chroot
- Windows port: Fix compiler warnings when building Squid as
application (not Windows service mode)
- Spelling correction of received
Changes to squid-2.6.STABLE14 (15 Jul 2007)
- squid.conf.default cleanup to have options in their proper sections.
- documentation correction in the refresh_pattern ignore-auth option
- URI-escaping not uses the recommended upper-case hex codes
- refresh_pattern min-age 0 correted to really mean 0, and not 1 second
- Always use xisxxxx() Squid defined macros instead of ctype
functions.
- Kerberos SPNEGO/Negotiate helper for the negotiate scheme
- Database basic auth helper using Perl DBI to connect to most SQL DBs
- Solaris /dev/poll network I/O support
- configure fixes to make cross compilation somewhat easier
- Removed incorrect -a reference from http_port documentation
- Bug #1900: Double "squid -k shutdown" makes Squid restart again
- Bug #1968: Squid hangs occasionally when using DNS search paths
- Novell eDirectory digest auth helper (digest_edir_auth)
- Bug #1130: min-size option for cache_dir
- POP3 basic auth helper querying a POP3 server
- Cosmetic squid_ldap_auth fixes from Squid-3
- Bug #1085: Add no-wrap to cache manager HTML tables
- Automatically restart if number of available filedescriptors becomes
alarmingly low, preventing a situation where Squid would otherwise
permanently stop processing requests.
- Bug #2010: snmp_core.cc:828: warning: array subscript is above
array bounds
- Deal better with forwarding loops
Changes to squid-2.6.STABLE13 (11 May 2007)
- Make sure reply headers gets sent even if there is no body available
yet, fixing RealMedia streaming over HTTP issues.
- Undo an accidental name change of storeUnregisterAbort.
- Kill an ancient malplaced storeUnregisterAbort call from ftp.c
- Bug #1814: SSL memory leak on persistent SSL connections
- Don't log ECONNREFUSED/ECONNABORTED accept failures in cache.log
- Cosmetic fix: added missing newline in WCCPv2 configuration dump.
- Ukrainan error messages
- Convert various error pages from DOS to UNIX text format
- Bug #1820: COSS assertion failure t->length == MD5_DIGEST_CHARS
- Clarify the max-conn=n cache_peer option syntax slightly
- Bug #1892: COSS segfault on shutdown
- Windows port: fix undefined ECONNABORTED
- Make refreshIsCachable handle ETag as a cache validator, not
only last-modified
- in_port_t is not portable, use unsigned short instead
- Fix fs / auth / snmp dependencies
- Portability: statfs() may reqire #include <sys/statfs.h>
Changes to squid-2.6.STABLE12 (20 Mar 2007)
- Assertion error on TRACE
Changes to squid-2.6.STABLE11 (17 Mar 2007)
- Bug #1915: assertion failed: client_side.c:4055: "buf != NULL ||
!conn->body.request"
- Handle garbage helper responses better in concurrent protocol format
- Fix kqueue when overflowing the changes queue
- Make sure the child worker process commits suicide if it could
not start up
- Don't log short responses at debug level 1
- Fix bswap16 & bwsap32 error on NetBSD
- Fix collapsed_forwarding for non-GET requests
Changes to squid-2.6.STABLE10 (4 Mar 2007)
- Upgrade HTTP/0.9 responses to our HTTP version (HTTP/1.0)
- various diskd bugfixes
- In the access.log hierarchy field log the unique peer name
instead of the host name
- unlinkdClose() should be called after (not before) storeDirSync()
- CLEAN_BUF_SZ was defined, but never used anywhere
- logging HTTP-request size
- Fix icmp pinger communication on FreeBSD and other not supporing
large dgram AF_UNIX sockets
- Release objects on swapin failure
- Bug #1787: Objects stuck in cache if origin server clock in future
- Bug #1420: 302 responses with an Expires header is always cached
- Primitive support for HTTP/1.1 chunked encoding, working around
broken servers
- Clean up relations between TCP probing and DNS checks of peers with
no known addresses.
- Fix a minor HTML coding error in ftp directory listings with // in
the path
- Bug #1875, #1420. Cleanup of refresh logics when dealing with
non-refreshable content
- Gopher cleanups and bugfixes
- Negotiate authentication fixed again. Broken since STABLE7 by the
patch for Bug #1792.
- Bug #1892: COSS tries to shut down the same directory twice on exit
- Bug #1908: store*DirRebuildFromSwapLog() ignores some SWAP_LOG_DEL
entries
- Added support for Subversion HTTP request methods MKACTIVITY,
CHECKOUT and MERGE.
Changes to squid-2.6.STABLE9 (24 Jan 2007)
- Bug #1878: If-Modified-Since broken in 2.6.STABLE8
- Bug #1877 diskd bug in storeDiskdIOCallback()
Changes to squid-2.6.STABLE8 (21 Jan 2007)
- Bug #1873: authenticateNTLMFixErrorHeader: state 4.
- Document the https_port vhost option, useful in combination with
a wildcard certificate
- Document the existence of connection pinning / forwarding of NTLM
auth and a few other features overlooked in the release notes.
- Spelling correction of the ssl cache_peer option
- Add back the optional "accel" http_port option. Makes accelerator
mode configurations easier to read.
- Bug #1872: Date parsing error causing objects to get unexpectedly
cached.
- Cleanup to have the access.log tags autogenerated from enums.h
- Bug #1783: STALE: Entry's timestamp greater than check time. Clock
going backwards?
- Don't update object timestamps on a failed revalidation.
- Fix how ftp://user@host URLs is rendered when Squid is built with
leak checking enabled
Changes to squid-2.6.STABLE7 (13 Jan 2007)
- Windows port: Fix intermittent build error using Visual Studio
- Add missing tproxy info from the dump of http port configuration
- Bug #1853: Support for ARP ACL on NetBSD
- clientNatLookup(): fix wrong function name in debug messages
- Convert ncsa_auth man page from DOS to Unix text format.
- Bug #1858: digest_ldap_auth had some remains of old hash format
- Correct the select_loops counter when using select(). Was counted twice
- Clarify the http_port vhost option a bit
- Fix cache-control: max-stale without value or bad value
- Bug #1857: Segmentation fault on certain types of ftp:// requests
- Bug #1848: external_acl crashes with an infinite loop under high load
- Bug #1792: max_user_ip not working with NTLM authentication
- Bug #1865: deny_info redirection with authentication related acls
- Small example on how to use the squid_session helper
- Bug #1863: cache_peer monitorurl, monitorsize and monitorinterval not working properly
- Clarify the transparent http_port option a bit more
- Bug #1828: squid.conf docutemtation error for proxy_auth digest
- Bug #1867: squid.pid isn't removed on shutdown
Changes to squid-2.6.STABLE6 (12 Dec 2006)
- Bug #1817: Assertion failure assert(buflen >= copy_sz) in htcp.c htcpBuildAuth()
- Add client source port logformat tag >p
- Cleanup of transparent & accelerator mode request parsing to untangle the firewall dependencies a bit
- Bug #1799: Harmless 1 byte buffer overflow on long host names in /etc/hosts
- automake no longer recommends mkinstalldirs. Removed.
- Only use crypt() if it's available, allowing ncsa_auth to be built
on platofms without crypt() support.
- Windows port documentation updates
- Bug #1818: Assertion failure assert(e->swap_dirn >= 0) in fs/coss/store_dir_coss.c storeCoss_DeleteStoreEntry
- Bug #1117: assertion failed: aufs/store_dir_aufs.c:642: "rb->flags.need_to_validate"
- Remove extra newline in redirect message sent by deny_info http://... aclname
- Bug #1805: assertion failed: StatHist.c:195: "D[i] >= 0"
- Clarify the external_acl_type helper format specification and some defaults
- Add support for the weight= parameter to round-robin peers
- Bug #1832: Error building squid-2.6.STABLE5 using --enable-truncate
- Convert snmpDebugOid to use a temporary String object instead of strcat
- Document that proxy_auth also accepts -i for case-insensitive operation
- Remove malloc/free of temporary buffer in time parsing routines.
- Reduce memory allocator pressure by not continually allocating client-side read buffers
- Accept large dates >2^31 on 64-bit platformst. Seen for example in the Google logo.
- Convert the connStateData->chr single link list to a normal dlink_list for clarity.
- Bug #1584: Unable to register with multiple WCCP2 routers
- Fix the WCCPv2 mask assignment code to not crash as the value assignments are built.
- Bug #439: Multicast ICP peering is unstable and considers most peers dead
- Bug #1801: NTLM authentication ends up in a loop if the server responds with a retriable error
- Bug #1839: Cosmetic debug message cleanup in peerHandleHtcpReply.
- Bug #1840: Disable digest and netdb queries to multicast peers
- Bug #1641: assertion failed: stmem.c:149: "size > 0" while processing certain Vary objects
- Fix build errors when using latest MinGW Windows environment
Changes to squid-2.6.STABLE5 (3 Now 2006)
- Bug #1776: 2.6.STABLE4 aufs fails to compile if coss isn't enabled
- COSS improvements and cleanups
- SNMP linking issue resolved, enabling SNMP support to be build in all platforms
- Bug #1784: access_log syslog results in blanks syslog lines between every entry
- Bug #1719: Incorrect error message on invalid cache_peer specifications
- Bug #1785: Memory leak in handling of negatively cached objects
- Bug #1780: Incorrect Vary processing in combination with collapsed_forwarding
- Bug #1782: Memory leak in ncsa_auth on password changes
- Suppress some annoying coss startup messages raising the debug level to 2.
- Clarify the external_acl_helper concurrency= change.
- aioDone() could be called twice from aufs and from coss (when using AIOPS) during shutdown.
- Bug #1794: Accept 00:00-24:00 as a valid time specification even if redundand and the same as 00:00-23:59
- Bug #1795: Theoretical memory leak in storeSetPublicKey
- Removing port 563 from the default SSL_ports and Safe_ports ACLs
- Bug #1724: Automatically enable Linux Netfilter support with --enable-linux-tproxy.
- Bug #1800: squid -k reconfigure crash when using req/rep_header acls
- Clarify the select/poll/kqueue/epoll configure --enable/disable options
- Bug #1779: Delay pools fairness when multiple connections compete for bandwidth
- Bug #1802: Crash on exit in certain conditions where cache.log is not writeable
- Bug #1796: Assertion error HttpHeader.c:914: "str"
- Bug #1790: Crash on wccp2 + mask assignement + standard wccp service
- Silence harmless gcc compile warning.
- Clean up poll memory on shutdown
- Ported select, poll and win32 to new comm event framework
- Windows port: Correctly identify Windows Vista and Windows Server Longhorn
- Added a basic comm_select_simple comm loop only requiring minimal POSIX compliance.
- Safeguard from kb_t counter overflows on 32-bit platforms
Changes to squid-2.6.STABLE4 (23 Sep 2006)
- Bug #1736: Missing Italian translation of ERR_TOO_BIG error page
- Windows port enhancement: added native exception handler with signal emulation
- Fix the %un log_format tag again. Got broken in 2.6.STABLE2
- Fix Squid crash when using %a in ERR_INVALID_REQ and ERR_INVALID_URL error messages.
- Bug #212: variable %i always 0.0.0.0 in many error pages
- Bug #1708: Ports in ACL accepts characters and out of range
- Bug #1706: Squid time acl accepts invalid time range.
- Fix another harmless fake_auth compiler warning on gcc 4.1.1 x86
- Fix an harmless snmp_core.c compiler warning on gcc 4.1.1 x86
- Bug #1744: squid-2.6.STABLE3 - fakeauth_auth crashing on certain requests
- Bug #1746: Harmless off by one overrun in ncsa_auth md5 password validation
- Bug #1598: start_announce cannot be disabled
- Periodically flush cache.log to disk when "buffered_logs on" is set
- Numerous COSS improvements and fixes
- Windows port: merge of MinGW support
- Windows port: Merged Windows threads support into aufs
- Bug #1759: Windows port cachemgr.cgi attempts to write to file system root directory
- Numerous portability fixes
- Various minor statistics cleanup on 64-bit hosts with more than 4GB of memory
- Bug #1758: HEAD on ftp:// URLs always returned 200 OK.
- Bug #1760: FTP related memory leak
- Bug #1770: WCCP2 weighted assignment
- Bug #1768: Redundant DNS PTR lookups
- Bug #1696: Add support for wccpv2 mask assignment
- Bug #1774: ncsa_auth support for cramfs timestamps
- Bug #1769: near-hit and filedescriptor usage missing in SNMP MIB
- Bug #1725: cache_peer login=PASS documentation somewhat confusing
- Bug #1590: Silence those ETag loop warnings
- Bug #1740: Squid crashes on certain malformed HTTP responses
- Bug #1699: assertion failed: authenticate.c:836: "auth_user_request != NULL"
- Improve error reporting on unexpected CONNECT requests in accelerator mode
- Cosmetic change to increase cache.log detail level on invalid requests
- Bug #1229: http_port and other directives accept invalid ports
- Reject http_port specifications using both transparent and accelerator options
- Cosmetic cleanup to not dump stacktraces on configuration errors
Changes to squid-2.6.STABLE3 (18 Aug 2006)
- Bug #1577: assertion failed "fm->max_n_files <= (1 << 24)" on
very large cache_dir. Limit number of objects stored to slightly
less to avoid this.
- Bug #1705: Correct error message on invalid time weekday specification
- Don't attempt to guess netmask in src/dst acl specifications
if none was provided. Assume it's an IP even if it ends in 0
- Bug #1665: log_format %ue, %us tags for external or ssl user id
- Bug #1707: delay pools often ignored the set limit
- Bug #1716: Support for recent OpenSSL 0.9.7 versions
(0.9.8 always worked)
- COSS fixes and performance improvements
- Memory leak when reading configuration files with overlapping
ACL data where squid -k parse complains.
- Memory leak related to pinned connections
- Show include acls unexpanded in cachemgr configuration dumps
- Fixed WARNING defer handler for HTTP Socket does not call commDeferFD
- Bug #1304: Downloads may hang when using the cache_dir max-size option
- Optimization of network I/O
- Bug #1730: make problem with --enable-follow-x-forwarded-for on Solaris
- Fixed a memory leak on certain invalid requests
- Bug #1733: ERR_CANNOT_FORWARD Portuguese translation update
- Bug #582: ntlm fake_auth not handles non-ascii login names
- New startup message indicating the type of event loop used
- Bug #1602: TCP fallback on truncated DNS responses
- Bug #1667: assertion failed: store.c:1081: "e->store_status == STORE_PENDING"
- Bug #1723: cachemgr now works in accelerator mode
Changes to squid-2.6.STABLE2 (31 Jul 2006)
- WCCP2 doesn't update statCounter.syscalls.sock.sendtos counter.
- Releasenotes Table of contents should use relative links without
filename.
- Reject HTTP/0.9 formatted CONNECT requests.
- Cosmetic cleanup to use safe_free instead of xfree + manual
assign to NULL
- Bug #1650: transparent interception "Unable to forward this
request at this time"
- Bug #1658: Memory corruption when using client-side SSL certificates
- Add storeRecycle; a storeIO method to delete a StoreEntry w/out
deleting the underlying object.
- Many COSS fixes and new coss data dumper utility for diagnostics
- Bug #1669: SEGV in storeAddVaryReadOld
- Many fixes in debug sections and spelling of debug messages
- Don't keep client connection persistent if there was a mismatch in
the response size.
- Move eventCleanup debug messages to debug level 2 (was 0)
- Add the missing concurrency parameters to basic and digest auth
schemes
- Bug #1670: assertion failure: i->prefix_size > 0 in client_side.c:2509
- Log SSL user id in the custom log User name format (%un)
- Bug #1653: Username info not logged into Cachemgr active_requests
statistics
- Added to the redirectors interface the support for SSL client
certificate
- squid.conf.default cleanup to remove references to old options
- Fix many filedescriptors in combination with TPROXY
- Fix connection pinning in transparently intercepted connections
- Bug #1679: LDFLAGS not honored in some programs.
- Minor cleanup of port numbers in transparent interception or
vhost + vport
- Bug #1671: transparent interception fails with FreeBSD ipfw or
Linux-2.2 ipchains
- Bug #1660: Accept-Encoding related memory corruption
- Bug #1651: Odd results if url_rewriter defined multiple times
- Bug #1655: Squid does not produce coredumps under linux when
started as root
- Bug #1673: cache digests not served to other caches
- Cleanup of Linux capability code used by tproxy
- Bug #1684: xstrdup: tried to dup a NULL pointer!
- Bug #1668: unchecked vsnprintf() return code could lead to log
corruption
- Bug #1688: Assertion failure in HttpHeader.c in some header_access
configurations
- Cygwin support fir --disable-internal-dns
- Silence those annoying sslReadServer: Connection reset by peer
errors.
- Bug #1693: persistent connections broken in transparent
interception mode
- Bug #1691: multicast peering issues
- Bug #1696: Correct WCCP2 processing of router capability info
segments
- Bug #1694: Assertion failure in mgr:config if using
access_log_format %<h
- Bug #1677: Duplicate etags in the If-None-Match header
- Bug #1665: access_log_format codes for login names from external
acl or ssl
- Bug #1681: All ntlmauthenticator processes are busy
- Added ARP acl support for OpenBSD and ARP fixes for Windows
- Bug #1700: WCCP fails on FreeBSD (Unable to disconnect WCCP out
socket)
- WCCP2 correct dampening of assign buckets when there it lots of
changes
- minimum_expiry_time to tune the magic 60 seconds limit of what
is considered cachable when the object doesn't have any cache
validators.
- Bug #1703: wrong path to diskd helper corrected, and config
parser extended to trap incorrect paths early
- Bug #1703: COSS failed to initialize async-io threads
- Bug #1703: should abort if diskd helper exits unexpectedly
- Bug #1702: Warn if acl name is too long
- Bug #1685: Crashes or other odd results after storeSwapMetaUnpack: errors
- wccp2_rebuild_wait directive to delay registering with WCCP until the
- Bug #1662: Infinite loop in external acl with grace period if the
same http_access line had multiple external acls
Changes to squid-2.6.STABLE1 (1 Jul 2006)
- New --enable-default-hostsfile configure option
- Added username info to active_requests cachemgr stats
- Modified squid MIB to incorporate squid.conf visible_hostname
- Added multi-line capability in squid.conf
- Added new httpd_suppress_version_string configuration directive
- WCCPv2 support
- Negotiate authentication scheme support
- NTLM authentication scheme rewritten
- Customizable access log formats
- Selective access logging
- Access logging via syslog
- Reverse proxy enhancements, with new cache_peer based forwarding
model.
- LDAP based Digest helper (Note: not true LDAP integration, just using
LDAP for storage of the Digest hashes)
- Improved helper communication protocol
- External ACL improvements. %PATH, log=, grace=, and more..
- Improved SSL support with hardware offload, client certificate
support (primitive), chained certificates and numerous bug fixes
- DNS lookups now use the search path from /etc/resolv.conf or
the Windows registry
- Linux epoll support
- collapsed forwarding to optimize reverse proxies or other
setups having very many clients going to the same URL
- New improved COSS implementation
- Optional support for blank passwords
- The old and obsolete Samba-2.2.X winbind helpers have been removed
- external acls now uses the simplified URL-escaped protol "3.0" by
default.
- Linux TPROXY support
- Support for proxying of Microsoft Integrated Login by adding
support for the deviations from the HTTP protocol required
to support these authentication mechanisms
- Added the capability to run as a Windows service under Cygwin
- CARP now plays well with the other peering algorithms
- read_ahead_gap option to read ahead more than 16KB of the reply
- check_hostnames and allow_underscore squid.conf options
- http_port is now optional, allowing for SSL only operation
- Full ETag/Vary support, caching responses which varies with
request details (browser, language etc).
- umask now defaults to 027 to protect the content of cache and
log files from local users
- HTCP support for access control and the CRL operation for
purgeing of cache content
- Optionally follow X-Forwarded-For headers to determine the original
client IP behind sedond level proxies
- FreeBSD kqueue support
Changes to squid-2.5.STABLE14 (20 May 2006)
- [Minor] icons not displayed when visible_hostname is a
short hostname (without domain). (Bug #1532)
- [Medium] Memleak in HTCP client code (default disabled)
(Bug #1553)
- [Major] memory leak in ident processing (Bug #1557)
- [Medium] Memory leak in header processing related to external_acl
header detail format tag (Bug #1564)
Changes to squid-2.5.STABLE13 (12 Mar 2006)
- [Minor] Fails to compile on Solaris and some other platforms
with undefined reference to setenv (Bug #1435)
- [Cosmetic] Added WebDAV REPORT method to know HTTP methods list
- [Minor] Squid ntlm_auth (not the Samba provided one) giving
odd results if --enable-ntlm-fail-open is used (Bug #1022)
- [Minor] wbinfo_group.pl doesn't work with Samba 3.0.21 and later
(Bug #1472)
- [Minor] Squid crash when asyncio function counters url accessed
from Cachemgr CGI (Bug #1464)
- [Cosmetic] Linux compile warning about prctl called with too few
arguments (Bug #1483)
- [Minor] Wrong timezone declaration for 64 bit Irix (Bug #1479)
- [Minor] Some 206 responses logged incorrectly (Bug #1511)
- [Minor] Issues in processing ranges on objects >2GB (Bug #437)
- [Cosmetic] Segmentation fault on empty proxy_auth ACLs (Bug #1414)
- [Minor] Ident access lists don't work in delay_access statements
(Bug #1428)
- [Minor] Some clients support NTLM even if not initially negotiating
persistent connections (Bug #1447)
- [Medium] 504 Gateway Time-out on FTP uploads (Bug #1459)
- [Medium] delay pools given too much bandwidht after "-k reconfigure"
(Bug #1481)
- [Cosmetic] New persistent_connection_after_error configuration
directive (Bug #1482)
- [Cosmetic] Hangs at 100% CPU if /dev/null is not accessible (Bug
#1484)
- [Minor] Fails to compile on Fedora Core 5 test 2 x86_64 (Bug #1492)
- [Cosmetic] Typo in ftp.c (Bug #1507)
- [Cosmetic] Error in FTP listings of files with -> in their name
(Bug #1508)
- [Cosmetic] With Squid-2.5 there is no more the DUPLICATE IP logging
in cache.log (Bug #779)
- [Minor] Fails to process long host names (Bug #1434)
- [Cosmetic] Azerbaijani errors translation (Bug #1454)
- [Cosmetic] misleading error message message for bad/unresolveable
cache_peer name (Bug #1504)
- [Cosmetic] confusing statistics on stateful helpers (NTLM auth)
(Bug #1506)
- [Major] connstate memory leak (Bug #1522)
Changes to squid-2.5.STABLE12 (22 Oct 2005)
- [Major] Error introduced in 2.5.STABLE11 causing truncated responses
when using delay pools (Bug #1405)
- [Cosmetic] Document that tcp_outgoing_* works badly in combination
with server_persistent_connections (Bug #454)
- [Cosmetic] Add additinal tracing to squid_ldap_auth making
diagnostics easier on squid_ldap_auth configuration errors
(Bug #1395)
- [Minor] $HOME not set when started as root (Bug #1401)
- [Minor] httpd_accel_single_host breaks in combination with
server_persistent_connections (Bug #1402)
- [Cosmetic] Setting CACHE_HTTP_PORT to configure was only partially
implemented, effectively ignored. (Bug #1403)
- [Minor] CNAME based DNS addresses could get cached for longer
than intended (Bug #1404)
- [Minor] Incorrect handling of squid-internal-dynamic/netdb exchanges
in transparently intercepting proxies (Bug #1410).
- [Minor] Cache revalidations on HEAD requests causing poor cache
hit ratio (Bug #1411).
- [Minor] Not possible to send 302 redirects via a redirector in
response to CONNECT requests (bug #1412)
- [Minor] Incorrect handling of Set-Cookie on cache refreshes (Bug
#1419)
- [Major] Segmentation fault crash in rfc1738_do_escape (Bug #1426)
- [Minor] Delay pools class 3 fails on clients in network 255
(Bug #1431)
Changes to squid-2.5.STABLE11 (22 Sep 2005)
- [Minor] Workaround for servers sending double content-length headers
(Bug #1305)
- [Cosmetic] Updated Spanish error messages by Nicolas Ruiz
- [Cosmetic] Date header corrected on internal objects (icons etc)
(Bug #1275)
- [Minor] squid -k fails in combination with chroot after patch for
bug 1157 (Bug #1307)
- [Cosmetic] Segmentation fault if compiled with
--enable-ipf-transparent but denied access to the NAT device.
(Bug #1313)
- [Minor] httpd_accel_signle_host incompatible with redireection
(Bug #1314)
- [Minor] squid -k reconfigure internal corruption if the type of
a cache_dir is changed (Bug #1308)
- [Minor] SNMP GETNEXT fails if the given OID is outside the Squid MIB
(Bug #1317)
- [Minor] Title in FTP listings somewhat messed up after previous
patch for bug 1220 (Bug #1220)
- [Minor] FTP listings uses "BASE HREF" much more than it needs to,
confusing authentication. (Bug #1204)
- [Minor] winfo_group.pl only looked for the first group if multiple
groups were defined in the same acl. (Bug #1333)
- [Cosmetic] Compiler warnings on some 64-bit platforms (Bug #1316)
- [Cosmetic] Removed some debug output from wb_ntlm_atuh (Bug #518)
- [Cosmetic] The new --with-build-environment=... option doesn't work
- [Cosmetic] New 'mail_program' configuration option in squid.conf
- [Minor] Fails to compile with ip-filter and ARP support on Solaris
x86 (Bug #199)
- [Major] Segmentation fault in sslConnectTimeout (Bug #1355)
- [Medium] assertion failed in StatHist.c:93 (Bug #1325)
- [Minor] More chroot_dir and squid -k reconfigure issues (Bug #1331)
- [Cosmetic] Invalid URLs in error messages when failing to connect
to peer, and a few other inconsistent error messages (Bug #1342)
- [Cosmetic] Fails to compile with glibc -D_FORTIFY_SOURCE=2
(Bug #1344)
- [Minor] Some odd FTP servers respond with 250 where 226 is expected
(Bug #1348)
- [Cosmetic] Greek translation of error messages (Bug #1351)
- [Major] Assertion failed store_status == STORE_PENDING (Bug #1368)
- [Minor] squid_ldap_auth -U does not work (Bug #1370)
- [Minor] SNMP cacheClientTable fails on "long" IP addresses
(Bug #1375)
- [Minor] Solaris Sparc + IP-Filter compile error (Bug #1374)
- [Minor] E-mail sent when cache dies is blocked from many antispam
rules (Bug #1380)
- [Minor] LDAP helpers does not work with TLS (-Z option) (Bug #1389)
- [Cosmetic] Incorrect store dir selection debug message on objects
larger than 2Gigabyte (Bug #1343)
- [Cosmetic] header_id enum misused as an signed integer (Bug #1343)
- [Cosmetic] Allow leaving core dumps when started as root (Bug #1335)
- [Medium] Clients could bypass delay_pool settings by faking a cache
hit request (Bug #500)
- [Minor] IP-Filter 4.X support (Bug #1378)
- [Medium] Odd results on pipelined CONNECT requests
- [Major] Squid crashing with "FATAL: Incorrect scheme in auth header"
when using NTLM authentication.
- [Cosmetic] Odd results when pipeline_prefetch is combined with NTLM
authentication (bug #1396)
- [Minor] invalid host was processed as IP 255.255.255.255 in dst acl
(Bug #1394)
- [Cosmetic] New --with-maxfd=N configure option to override build
time filedescriptor limit test
- [Minor] Added support for Windows code name "Longhorn" on Cygwin.
Changes to squid-2.5.STABLE10 (17 May 2005)
- [Minor Security] Fix race condition in relation to old Netscape
Set-Cookie specifications
- [Minor] Fails to parse D.J. Bernstein's FTP EPLF ftp listing
format and PASV resposes (Bug #1252)
- [Medium] BASE HREF missing on ftp directory URLs without /
(Bug #1253)
- [Minor security] confusing http_access results on configuration
error (Bug #1255)
- [Cosmetic] More robust Date parser (Bug #321)
- [Minor] reload_with_ims fails to refresh negatively cached objects
(Bug #1159)
- [Cosmetic] delay_access description clarification (Bug #1245)
- [Cosmetic] Check for integer overflow in size specifications in
squid.conf (Bug #1247)
- [Cosmetic] bzero is a non-standard function not available on all
platforms (Bug #1256)
- [Cosmetic] Compiler warnings if pid_t is not an int (Bug #1257)
- [Cosmetic] Incorrect use of ctype functions (Bug #1259)
- [Cosmetic] Defer digest fetch if the peer is not allowed to be used
(Bug #1261)
- [Minor] Duplicate content-length headers logged incorrectly or
not cleaned up properly (Bug #1262)
- [Cosmetic] Extend relaxed_header_parser to work around "excess
data from" errors from many major web servers. (Bug #1265)
- [Minor] Add HTTP headers to a netdb error messages
- [Minor] Multiple minor aufs issues (Bug #671)
- [Minor] Basic authentication fails with very long logins or
password (Bug #1171)
- [Minor] CONNECT requests truncated if client side disconnects first
(Bug #1269)
- [Minor] --disable-hostname-checks configure option did not work
- [Cosmetic] LDAP helpers adjusted to compile with SUN LDAP SDK
- [Cosmetic] aufs warning about open event filedescriptors on shutdown
- [Medium] Failed to process requests for files larger than 2GB in size
- [Cosmetic] rename() related cleanup
- [Cosmetic] New cachemgr pending_objects and client_objects actions
- [Cosmetic] external acls requiring authentication did not request
new credentials on access denials like proxy_auth does.
- [Cosmetic] Syslog facility now configurable via command line options.
- [Cosmetic] New %a error page template code expanding into the
authenticated user name. (Bug #798)
- [Minor] IP-Filter 4.0 support in --enable-ipf-transparent
- [Minor] Support interception of multiple ports
- [Cosmetic] Allow "squid -k ..." to run even if the local hostname
can not be determined (Bug #1196)
- [Cosmetic] Configuration file parser now handles DOS/Windows formatted
configuration files with CRLF lineendings proper.
- [Minor] Unrecognized Cache-Control directives now forwarded properly
(Bug #414)
- [Minor] Authentication helpers now returns useable information
in the %m error page macro on failed authentication (Bug #1223)
- [Minor] pid file management corrected in chroot use (Bug #1157)
- [Minor Security] Fix for CVE-1999-0710: cachemgr malicouse use.
cachemgr.cgi now reads a config file telling which proxy servers
it can administer.
- [Minor] aufs statistics improvements
- [Minor] SNMP bugfixes and support for SNMPv2(c) (Bug #1288, #1299)
- [Minor] ARP acl documentation and cachemgr config dump corrections
- [Minor] dstdomain/dstdom_regex acls now allow matching of numeric
hostnames in addition to the reverse lookup of the domain name.
- [Security] Internal DNS client hardened against spoofing
Changes to squid-2.5.STABLE9 (24 Feb 2005)
- [Medium] Don't retry requests on 403 errors (Bug #1210)
- [Minor] Ignore invalid FQDN DNS responses (Bug #1222)
- [Minor] cache_peer related memory leaks on reconfigure (Bug #1246)
- [Cosmetic] Adjusted to build cleanly with GCC-4 (Bug #1211)
- [Minor] relaxed_header_parser extended to work around even more
broken web servers (Bug #1242)
- [Minor] FTP gatewaying URLs cleaned up slightly, mainly to work
better with Mozilla but also to improve security slightly on
non-anonymous FTP.
- [Minor] High characters allowed un-encoded in FTP and Gopher
listings to allow the user-agent to display data in non-iso8859-1
charsets. (Bug #1220)
- [Cosmetic] format fixes to silence compiler warnings on many
platforms.
- [Major] Assertion failures on certain odd DNS responses (Bug #1234)
Changes to squid-2.5.STABLE8 (11 Feb 2005)
- [Minor] 100% CPU usage on half-closed PUT/POST requests (Bug #354,
#1096)
- [Cosmetic] Document -v (protocol version) option to LDAP helpers
- [Minor] The new req_header and resp_header acls segfaults
immediately on parse of squid.conf (Bug #961)
- [Minor] Failure to shut down busy helpers on -k rotate/reconfigure
(Bug #1118)
- [Minor] Don't use O_NONBLOCK on disk files. (Bug #1102)
- [Minor] Squid fails to close TCP connection after blank HTTP
response (Bug #1116)
- [Minor security] Random error messages in response to malformed
host name (Bug #1143)
- [Minor] PURGE should not be able to delete internal objects
(Bug #1112)
- [Minor] httpd_accel_port 0 (virtual) not working correctly (Bug
#1121)
- [Minor] cachemgr vm_objects segfault (Bug #1149)
- [Minor security] Confusing results on empty acl declarations (Bug
#1166)
- [Minor] Don't close all "other" filedescriptors on startup (Bug
#1177)
- [Minor] fakeauth_auth memory leak and NULL pointer access (Bug
#1183)
- [Security] buffer overflow bug in gopherToHTML() (Bug #1189)
- [Medium security] Denial of service with forged WCCP messages
(Bug #1190)
- [Minor] DNS related memory leak on certain malformed DNS responses
(Bug #1197)
- [Minor] Internal DNS sometimes truncates host names in reverse
(PTR) lookups (Bug #1136)
- [Minor Security] Add sanity checks on LDAP user names (Bug #1187)
- [Security] Harden Squid against HTTP request smuggling attacks
- [Minor] Icon URLs fails in non-anonymous FTP directory listings is
short_icon_urls is on (Bug #1203)
- [Security] Harden Squid against HTTP response splitting attacks
(Bug #1200)
- [Medium security] Buffer overflow in WCCP recvfrom() call
(Bug #1217)
- [Security] Properly handle oversized reply headers (Bug #1216)
- [Minor] LDAP helpers search fixed to properly ask for no attributes
- [Minor] A sporadic segmentation fault when using ntlm authentication
fixed (Bug #1127)
- [Major] Segmentation fault on failed PUT/POST requests (Bug #1224)
- [Medium] Persistent connection mismatch on failed PUT/POST request
(Bug #1122)
- [Minor] WCCP easily disturbed by forged packets (Bug #1225)
- [Minor] Password management in ftp:// gatewaying improved (Bug #1226)
- [Major] HTTP reply data corruption in certain situations involving
reply headers split over multiple packets (Bug #1233)
Changes to squid-2.5.STABLE7 (11 Oct 2004)
- [Medium] No objects cached in ufs cache_dir type in some
configurations. Issue introduced in 2.5.STABLE6 by the patch for
Bug #676. (Bug #1011)
- [Minor] LDAP helpers update to correct LDAP connection management
and add support for literal password compare instead of binding
- [Minor] A large number of queued DNS lookups for the same domain
(Bug #852)
- [Cosmetic] request_header_max_size configuration partly ignored
(Bug #899)
- [Minor] Partial hit results in TCP_HIT, not TCP_MISS. (Bug #1001)
- [Cosmetic] HEAD requests may return stale information
(Bug #1012)
- [Cosmetic] Warn if cache_dir ufs can not create files. (Bug #918)
- [Minor] case insensitive authentication (Bug #431)
- [Cosmetic] Add delay pools information to active_requests. (Bug
#882)
- [Minor] Apparent memory leak in client_db (Bug #833)
- [Minor] NTLM authentication truncated causing failures. (Bug
#1016)
- [Cosmetic] Grammatical corrections in squid.conf.default
- [Cosmetic] Unknown %X errorpage codes incorrectly quoted. (Bug
#1030)
- [Medium] Segfaults and other strange crashes when using heap
policies. (Bug #1009)
- [Minor] Supplementary group memberships not set (Bug #1021)
- [Cosmetic] ERR_TOO_BIG Portuguese translation
- [Minor] external_acl does not handle newlines (Bug #1038)
- [Major] NTLM authentication denial of service when using msnt_auth
or fake_auth (Bug #1045)
- [Medium] Memory leaks when using NTLM authentication without
challenge reuse. (Bug #994)
- [Minor] Temporary NTLM memory leak with challenge reuse enabled
(Bug #910)
- [Minor] assertion failed: "n_ufs_dirs <=
Config.cacheSwap.n_configured". (Bug #1053)
- [Minor] Segfault in authenticateDigestHandleReply. (Bug #1031)
- [Minor] acl time fails to parse multiple time specifications
(Bug #1060)
- [Minor] cachemgr config dumps mixed up Range and Request-Range
headers in http_header_access & replace directives. (Bug #1056)
- [Minor] Content-Disposition added as a well known header (Bug #961)
- [Cosmetic] Don't warn about arp acls not being supported on FreeBSD
(Bug #1074)
- [Cosmetic] Limit internal send/receive buffer sizes (Bug #1075)
- [Medium] New acl types to match arbitrary HTTP headers. In addition
the http_header_access & replace directives now support arbitrary
headers and not only the well known ones. (Bug #961)
- [Cosmetic] ncsa_auth now accepts Window formatted password files
(Bug #1078)
- [Cosmetic] Support the --program-prefix/suffix options or other
configure program name transforms (Bug #1019)
- [Minor] Fix race condition in CONNECT and also handle aborts of
CONNECT requests in a more graceful manner. (Bug #859)
- [Minor] New balance_on_multiple_ip directive to work around certain
broken load balancers and optimized ipcache on reload requests
(Bug #1058)
- [Medium] New reply_header_max_size directive
(Bug #874)
- [Minor] Suspected instability on aborted PUT/POST requests
(Bug #1089)
- [Security] SNMP Denial of Service fix (CAN-2004-0918)
Changes to squid-2.5.STABLE6 (9 Jul 2004)
- Bug #937: NTLM assertion error "srv->flags.reserved"
- Bug #935: squid_ldap_auth can be confused by the use of reserved
characters
- Helper queue warnings imprecise on the number of helpers required
- squid_ldap_auth TLS mode works correctly again
- Bug #940, #305: pkg-config support for finding correct OpenSSL
compile flags
- Bug #426: "Vary: *" is ignored
- 100% CPU usage on Linux-2.2
- Version number should not include -CVS if autoconf is run
- Bug #947: deny_info redirection with requested URL escaped wrongly
- Bug #495: CONNECT timeout should produce a 504 or 503
- Bug #956: cache_swap_log documentation referred to swap.state by
it's old swap.log name
- ntlm/auth_ntlm.c(683): warning #187: use of "=" where "==" may
have been intended
- Bug #962: rfc1035NameUnpack: Assertion (*off) < sz failed
- Bug #954: Segment violation when using a blank user name in digest
authentication
- Bug #943: assertion failed: errorpage.c:292: "mem->inmem_hi == 0"
- Spelling corrections in configure and squid.conf.default
- The meaning of ERR in digest helper protocol clarified in the
squid.conf documentation
- Bug #950: Spelling error in Turkish ERR_DNS_FAIL
- Bug #616: Negative cached 404 replies with VARY header never matched
- Bug #968: range_offset_limit -1 KB rejected as invalid syntax
due to a shortcoming in the fix to bug #817
- Bug #570: Very large cache_mem values reported wrongly in cache.log
- Bug #676: store_dir_select_algorithm least-load doesn't work for
ufs cache_dir type
- Bug #946: cacheCurrentUnlinkRequests should be a counter, not gauge
- Bug #948: Show client ip in cache.log debug output
- Bug #960: compilation issue on OpenBSD/m88k
- Bug #969: FTP directory listing HTML DOCTYPE misread by some tools
- Bug #991: dns_servers should default to localhost if no resolv.conf
- Bug #717: msnt_auth documentation update
- Bug #753: Segfault in memBufVPrintf on certain architectures
requiring va_copy
- Bug #941: Negative size in access.log on long running CONNECT
requests
- Bug #972: Segmentation fault after "Likely proxy abuse detected"
- Bug #981: sasl_auth updated to work with SALS2
- Overflow bug in Squid's ntlm_auth helper used for transparent NTLM
authentication to a NT domain without using Samba.
Changes to squid-2.5.STABLE5 (1 Mar 2004):
- cache.log message on "squid -k reconfigure" was slightly confusing,
claiming Squid restarted when it just reread the configuration.
- Bug #787: digest auth never detects password changes
- Bug #789: login with space confuses redirector helpers
- Bug #791: FQDNcache discards negative responses when using
internal DNS
- pam_auth fails on Solaris when using pam_authtok_get. Persistent
PAM connections are unsafe and now disabled by default.
- auth_param documentation clarifications and added default realm
values making only the helper program a required attribute
- Bug #795: German ERR_DNS_FAIL correction
- Bug #803: Lithuanian error messages update
- Bug #806: Segfault if failing to load error page
- Bug #812: Mozilla/Netscape plugins mime type defined (.xpi)
- Bug #817: maximum_object_size too large causes squid not to cache
- Bug #824: 100% CPU loop if external_acl combined with separate
authentication acl in the same http_access line
- squid_ldap_group updated to version 2.12 with support for ldaps://
(LDAPv2 over SSL) and a numer of other improvements.
- Bug #799: positive_dns_ttl ignored when using internal DNS.
- Bug #690: Incorrect html on empty Gopher responses
- Bug #729: --enable-arp-acl may give warning about net/route.h
- Bug #14: attempts to establish connection may look like syn flood
attack if the contacted server is refusing connections
- errorpage README files included in the distribution again showing
who contributed which translation
- Bug #848: connect_timeout connect_timeout ends up twice the length.
forward_timeout option added to address this.
- Bug #849: DNS log error messages should report the failed query
- Bug #851: DNS retransmits too often
- Bug #862: Very frequently repeated POST requests may cause a
filedescriptor shortage due to persitent connections building up
- Bug #853: Sporatic segmentation faults on aborted FTP PUT requests
- Bug #571: Need to limit use of persistent connections when
filedescriptor usage is high
- Bug #856: FTP/Gopher Icon URLs are unneededly complex and often
does not work properly
- Bug #860: redirector_access does not handle "slow" acls such as
"dst" or "external" requiring a external lookup.
- Bug #865: Persistent connection usage too high after sudden burst
of traffic.
- Bug #867: cache_peer max-conn=.. option does not work
- Bug #868: refuses to start if pid_filename none is specified
- Bug #887: LDAP helper -Z (TLS) option does not work
- Bug #877: Squid doesn't follow telnet protocol on FTP control
connections
- Bug #908: Random auth popups and account lockouts when using ntlm
- Support for NTLM_NEGOTIATE exchanges with ntlm helpers
- Bug #585: cache_peer_access fails with NTLM authentication
- Bug #592: always/never_direct fails with NTLM authentication
- wbinfo_group update for Samba-3
- Bug #892: helpers/ntlm_auth/SMB/ fails to compile on FreeBSD 5.0
- Bug #924: miss_access restricts internal and cachemgr requests
even if these are local
- Bug #925: auth headers send by squidclient are mildly malformed
- Bug #922: miss_access and delay_access and several other
authentication related bug fixes.
- Bug #909: Added ARP acl support for FreeBSD
- Bug #926: deny_info with http_reply_access or miss_access
- Bug #872: reply_body_max_size problems when using NTLM auth
- Bug #825: random segmentation faults when using digest auth
- Bug #910: Partial fix for temporary memory leaks when using NTLM
auth. There is still problems if challenge reuse is enabled.
- ftp://anonymous@host/ now accepted without requiring a password
- Bug #594: several mime type updates (ftp:// related)
- url_regex enhanced to allow matching of %00
Changes to squid-2.5.STABLE4 (15 Sep 2003):
- Lithuanian error messages added to the distribution
- Bug #660: segfauld if more than one custom deny_info line
- cache_dir disd documentation cleanup
- check open of /dev/null to avoid 100% CPU loop in badly
configured chroot environments
- documentation update on uri_whitespace to refer to the correct RFC
- Bug #655: icmpRecv: recv: (11) Resource temporarily unavailable
- Bug #683: external_acl does not wait for ident lookups to complete
- aufs: Fix a minor use-after-free problem which could cause the
count of opening filedescriptors to grow larger than it should
- Syntax changes to make GCC-3.3 accept Squid without complaints
- Warning if CARP server defined in incorrect load factor order
- neighbor_type_domain documentation update
- http_header_access now works when using cache peers
- high_memory_warning now uses sbrk as fallback mechanism on
platforms where neither mallinfo or mstats are available.
- hosts_file now handles comments at the end of lines correcly
- storeCheckCachable() Stats corrected for release_request and
wrong_content_length.
- cachePeerPingsSent MIB type corrected
- unused minimum_retry_timeout directive removed
- Bug #702: ERR_TO_BIG spanish translation
- Bug #705: Memory leak on deny_info TCP_RESET
- Code cleanup to fix compile error in httpHeaderDelById
- Bug #699: Host header now forwarded exactly where it was in the
original request to work around certain broken firewalls or
load balancers which fail if this header is too far into the
request headers.
- Bug #704: Memory leak on reply_body_max_size
- Bug #686: requests denied due to http_reply_access are now
logged with TCP_DENIED (instead of TCP_MISS, etc).
- Bug #708: ie_refresh now sends no-cache to have the reload
request propagate properly in cache meshes
- Bug #700: Crashes related to ftpTimeout: timeout in SENT_PASV state
- Bug #709: cbdata.c:186: "c->valid" assertion due to peer
digest not found
- Bug #710: round-robin cache_dir selection incorrectly
compares max-size.
- Statistics corrections in HTTP header statitics
- QUICKSTART cleanups
- Bug #715: statCounter.syscalls.disk counters treated
inconsistently. Now increment the counters in AUFS
functions and for unlinkd.
- Improvements to the (experimental) COSS storage scheme.
- Bug #721: User name field in access.log sometimes blank
- Bug #94: assertion failed: http.c: "-1 == cfd ||
FD_SOCKET == fd_table[cfd].type"
- Bug #716: assertion failed: client_side.c:1478: "size > 0"
- Bug #732: aufs calculates number of threads and limits wrongly
- Bug #663: Username not logged into access.log in case of /407
- Bug #267: Form POSTing troubles with NTLM authentication
and occationally in differen other error conditions.
- Bug #736: ICP dynamic timeout algorithm ignores multicast.
- Bug #733: No explicit error message when ncsa_auth can't access
passwd file
- Bug #267, #757: POST with NTLM stops after persistent connection
timeout
- Bug #742: Wrong status code on access denials if delay_access
is used. Most notably 407 instead of 403 could be returned.
- Bug #763: segfault if using ntlm in http_reply_access
- Bug #638: assertion error if using proxy_auth in delay_access
- Bug #756: segmentation fault if using ntlm proxy_auth in delay_access
- The issue of reply_body_max_size limiting the size of error
messages no longer applies.
- external_acl_type concurrency= option renamed to children= to
prepare for Squid-3 upgrades. Old syntax still accepted for the
duration of the Squid-2.5 release.
- number of filedescriptors rounded down to an even multiple of 64
to work around issues in certain libc implementations.
- winbind helpers less noisy in cache.log on restarts/shutdown.
- Squid now automatically restarts helpers if too many of them
have crashed.
Changes to squid-2.5.STABLE3 (25 May 2003):
- Bug #573: Occational false negatives in external acl lookups
- Bug #577: assertion failed: cbdata.c:224: "c->y == c" when
external_acl helpers crashes
- Bug #590: Squid may hang or behave oddly on shutdown while
requests is being processed.
- Bug #590: external acl lookups does not deal well with queue
overload
- cache_effective_user documentation update
- cache_peer documentation update for htcp and carp
- Bug #600: The example header_access paranoid setting is
missing WWW-Authenticate
- Bug #605: Segmentation fault in idnsGrokReply() on certain
platforms
- Fixes to build properly on AIX 5
- Bug #574: wb_group updated to version 1.1 to make group names
case insensitive and correct a segfault issue in the helper
- SNMP mib updates to make cacheNumObjCount,
cacheCurrentUnlinkRequests, cacheCurrentSwapSize and cacheClients
correctly report as gauges (was reporting as counters).
- Woraround for --enable-ssl Kerberos issue on RedHat 9
- Bug #579: Close and repopen log files on "squid -k reconfigure"
- Bug #598: squid_ldap_auth could segfault if LDAP server is
unavailable
- Bug #609,#612: msntauth helper fixes in dealing with large
or non-existing allow/deny user files.
- Bug #620: acl ident REQUIRED matches even if the ident lookup fails
- Bug #432: reply_body_max_size fails with ident or proxy_auth acls
and also fails to block large objects where the content-length
is not known
- Bug #606: Basic auth looping and gets stuck at high CPU usage when
multiple proxy_auth ACLs combined in one line and login fails.
- squid_ldap_auth updated with support for TLS and SSL
- Bug #623: segfault if using negated external acls in certain
configurations involving other acls later on the same http_access
line.
- Bug #622: wb_group helper update to version 1.2 to ass support for
Domain-Qualified groups refering to groups in a specific domain
- Bug #596: logic error in poll() error management
- Bug #597: logic errors in error management
- Bug #591: segmentation fault in authentication on "squid -k debug"
- Bug #587: smb_auth fails on complex logins involving domain names
or other odd characters
- Bug #558, #587: smb_auth.pl fails on complex logins involving
domain names or other odd characters
- Bug #643: external_acl fails with ttl=0 due to a change introduced
by the patch for Bug #553 in 2.5.STABLE2.
- Bug #630: minor issues in digest authantication causing random
authentication failures and incompability with many mainstream
browser digest implementations due to browser qop bugs. To deal
with those broken browser nonce_stricness now defaults to off,
and two new digest options have been added (check_nonce_count
and post_workaround) to allow workarounds to other quite bad
browser bugs if needed.
- Bug #644: digest authentication fails on requests with one
or more comma in the requested URL
- Bug #648: deny_info TCP_RESET not working. The fix for this also
adds the ability to send redirects.
Changes to squid-2.5.STABLE2 (Mars 17, 2003):
- Contrib files added back to the distribution
- Several compiler warnings fixed when using --disable-ident or
--disable-http-violations
- authentication can now be used in most access controls, but
must in most cases first be enforced in http_access to force
the user to authenticate.
- cleanups in the developer bootstrap.sh process when preparing
the sources.
- several squid.conf.default documentation updated to correctly
refer to the current names when refering to other directives
- authenticate_ip_ttl documentation updates
- several assertion faults and segmentation violations corrected
- the RunCache/RunAccel and squid.rc scripts updated to refer to
the squid binary in sbin rather than the old bin location.
- squid_ldap_auth command line processing fixes when specifying
the LDAP server last on the line instead of -h option
- aufs data corruption bugfix
- aufs performance improvement for low traffic systems
- aufs stability improvements
- external_acl corrected to properly deal with quoted strings
- WCCPv1 bugfix to make sure the router accepts the hash assignments
- "Total accounted memory" now correctly reported in cachemgr
- several small memory leaks (mostly reconfigure related)
- new squid.conf option to allow GET/HEAD requests with a request
entity
- "make uninstall" no longer removes squid.conf
- cachemgr.cgi now uses POST to avoid having the cachemgr password
logged in the web server logs
- authentication schemes which are known to not be proxyable are now
filtered out from forwarded server replies to avoid that the clients
tries to use such schemes when we know for a fact it won't work
- spelling corrections in various error messages
- now possible to define acl values with spaces in them
by using the "include file" feature
- squid_ldap_group updated to 2.10 to fix compilation issues with
recent (and older) OpenLDAP libraries and to make the helper deal
correctly with true LDAP groups by first looking up the user DN.
- Some internal code cleanups
- now verifies that programs etc exists iside the chroot directory
when using chroot_dir. No longer neccesary to set up a split view
environment where the same paths works both inside the chroot and
outside just to convince Squid that the files is actually there..
- improved memory usage reporting
- --disable-hostname-checks configure option
- no longer ignores double dots in host names. Any hostname with
double dots is now rejected as invalid.
- log_mime_hdrs no longer logs garbage if very long headers
are seen.
- 'select_fds_hist' object added to cachemgr 'histogram' output
- pid file now unlinked when squid has really shut down, not
immediately when the shutdown request is received. This allows
the pid file to be monitored to determine when Squid has shut down
properly
- correct authentication scheme setups on some platforms or compilers
- several squid.conf.default documentation updates to remove references
to renamed or replaced directives by changing them to their current
names.
- the SSL reverse proxy support updated to allow building with
OpenSSL 0.9.7 and and later.
- Corrected a minor performance problem while processing HEAD replies
from various broken web servers not sending a correct HTTP reply
- time acls can now specify multiple times in the same acl name, like
most other acl types.
- winbind helpers updated to match Samba-2.2.7a and should
work with Samba-2.2.6 or later (required). For compability with
older Samba versions A new configure option --with-samba-sources=...
has been added to allow you to specify which Samba version the
helpers should be built for if different than the above versions.
- Squid MIB definition syntax correction to work better with newer
(and older) SNMP tools.
- Fixed access.log format when logging "error:invalid-HTTP-ident" on
requests where parsing the HTTP identifier (HTTP/1.0) failed.
- "make distclean" no longer removes the icons, this avoids the
dependency on "uudecode" to rebuild Squid after "make distclean"
- User name returned by external acl lookups (external_acl_type)
is now available as "ident" in later acl checks in addition to
the logging in access.log.
- Incorrect behaviour of Digest authentication partly corrected - it
will not handle sessions, but will always enforce password
correctness.. (patch submitted by Sean Burford).
- Issue with persistent connections and PUT/POST request corrected
Changes to squid-2.5.STABLE1 (September 25, 2002):
- Major rewrite of proxy authentication to support other schemes
than basic. First in the line is NTLM support but others can
easily be added (minimal digest is present). See Programmers Guide.
(Robert Collins & Francesco Chemolli)
- Reworked how request bodies are passed down to the protocols.
Now all client side processing is inside client_side.c, and
the pass and pump modules is no longer used.
used by Squid.
- Optimized searching in proxy_auth and ident ACL types. Squid should
now handle large access lists a lot more efficiently.
(Francesco Chemolli)
- Fixed forwarding/peer loop detection code (Brian Degenhardt) -
now a peer is ignored if it turns out to be us, rather than
committing suicide
- Changed the internal URL code to obey appendDomain for internal
objects if it needs appending. This fixes weirdnesses where
a machine can think it is "foo.bar.com", and "foo" is requested.
(Brian Degenhardt)
- Added the use of Automake to create the Makefile.in's in the squid
source tree. This will allow libtool in the future, and immediately
allows better dependency tracking - with or without gcc - as well
as the dist-all and distcheck targets for developers which respectively
build a tar.gz and a tar.bz2 distribution, and check that what will be
distributed builds.
- Added TOS and source address selection based on ACLs,
written by Roger Venning. This allows administrators to set
the TOS precedence bits and/or the source IP from a set of
available IPs based upon some ACLs, generally to map different
users to different outgoing links and traffic profiles.
- Added 'max-conn' option to 'cache_peer'
- Added SSL gatewaying support, allowing Squid to act as a SSL server
in accelerator setups.
- SASL authentication helper by Ian Castle
- msntauth updated to v2.0.3
- no_cache now applies to cache hits as well as cache misses
- the Gopher client in Squid has been significantly improved
- Squid now sanity checks FTP data connections to ensure the
connection is from the requested server. Can be disabled if
needed by turning off the ftp_sanitycheck option.
- external acl support. A mechanism where flexible ACL checks
can be driven by external helpers. See the external_acl_type
and acl external directives.
- Countless other small things and fixes
- HTML pages generated by Squid or CacheMgr as well as the
ERR documents now contain a doctype declaration so that
browsers know which HTML specification the document uses.
In addition to that they have a new look (background-color, font)
and are valid according to the HTML standards at www.w3.org.
(Clemens L ser)
- Login and password send to Basic auth helpers is now URL escaped
to allow for spaces and other "odd" characters in logins and
passwords
- Proxy Authentication is no longer blindly forwarded to peer
caches if not used locally. If forwarding of proxy authentication
is desired then it must now be configured with the login=PASS
cache_peer option.
- Responses with Vary: in the header are now cached by squid.
(Henrik Nordstrom).
- Removed unused 'siteselect_timeout' directive.
Changes to Squid-2.4.STABLE7 (July 2, 2002):
- Squid now drops any requests using transfer-encoding.
Squid is a HTTP/1.0 proxy and as such do not support
the use of transfer-encoding.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
- Minor changes to support Apple MAC OS X and some other platforms
more easily.
- The client -T option has been implemented
- HTCP related bugfixes in "squid -k reconfigure"
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- FTP data channels are now sanity checked to match the address of
the requested FTP server. This to prevent theft or injection of
data. See the new ftp_sanitycheck directive if this is not desired.
- Security fixes in how Squid parses FTP directory listings into HTML
Changes to Squid-2.4.STABLE6 (March 19, 2002):
- The patch for 2.4.STABLE5 was insufficiently tested and
introduced a bug that causes frequent assertions when
handling DNS PTR answers.
Changes to Squid-2.4.STABLE5 (March 15, 2002):
- Fixed an array bounds bug in lib/rfc1035.c. This bug
could allow a malicious DNS server to send bogus replies
and corrupt the heap memory.
Changes to Squid-2.4.STABLE4 (Feb 19, 2002)
- htcp_port 0 now properly disables htcp
- Fixed problem with certain non-anonymous ftp:// style URL's
- SNMP bugfixes including several memory leaks
Changes to Squid-2.4.STABLE3 (Nov 28, 2001):
- Fixed bug #255: core dump on SSL/CONNECT if access denied by
miss_access
- Fixed bug #246: corrupt on-disk meta information preventing
rebuilds of lost swap.state files
- Fixed bug #243: squid_ldap_auth now supports spaces in passwords
- Fixed a coredump when creating FTP directories
- Fixed a compile time problem with statHistDump prototype mistmatch,
reported by some compilers
- Fixed a potential coredump situation on snmpwalk in certain
configurations
- Fixed bug #229: filedescriptor leakage in the "aufs" cache_dir
store implementation
- Serbian error message translations
Changes to Squid-2.4.STABLE2 (Aug 24, 2001):
- Expanded configure's GCC optimization disabling check to
include GCC 2.95.3
- avoid negative served_date in storeTimestampsSet().
- Made 'diskd' pathnames more configurable
- Make sure squid parent dies if child is killed with
KILL signal
- Changed diskd offset args to off_t instead of int
- Fixed bugs #102, #101, #205: various problems with useragent
log files
- Fixed bug #116: Large Age: values still cause problems
- Fixed bug #119: Floating point exception in
storeDirUpdateSwapSize()
- Fixed bug #114: usernames not logged with
authenticate_ip_ttl_is_strict
- Fixed bug #115: squid eating up resources (eventAdd args)
- Fixed bug #125: garbage HTCP requests cause assertion
- Fixed bug #134: 'virtual port' support ignores
httpd_accel_port, causes a loop in httpd_accel mode
- Fixed bug #135: assertion failed: logfile.c:135: "lf->offset
<= lf->bufsz"
- Fixed bug #137: Ranges on misses are over-done
- Fixed bug #160: referer_log doesn't seem to work
- Fixed bug #162: some memory leaks (SNMP, delay_pools,
comm_dns_incoming histogram)
- Fixed bug #165: "Store Mem Buffer" leaks badly
- Fixed bug #172: Ident Based ACLs fail when applied to
cache_peer_access
- Fixed bug #177: LinuxPPC 2000 segfault bug due to varargs abuse
- Fixed bug #182: 'config' cachemgr option dumps core with
null storage
- Fixed bug #185: storeDiskdDirParseQ[12]() use wrong number
of args in debug/printf
- Fixed bug #187: bugs in lib/base64.c
- Fixed bug #184: storeDiskdShmGet() assertion; changed
diskd to use bitmap instead of linked list
- Fixed bug #194: Compilation fails on index() on some
non-BSD platforms
- Fixed bug #197: refreshIsCachable() incorrectly checks
entry->mem_obj->reply
- Fixed bug #215: NULL pointer access for proxy requests
in accel-only mode
Changes to Squid-2.4.STABLE1 (Mar 20, 2001):