* Add missing stub definition for CPU_ISSET
* Fix build errors in cpuafinity.cc
* Bug 4228: links with krb5 libs despite --without options
* Fix delay_parameters documentation
* Stop using dangling pointers for eCAP-set custom HTTP reason phrases.
* Fix status code-based HTTP reason phrase for eCAP-generated messages.
* Revert r13921: Migrate StoreEntry to using MEMPROXY_CLASS
* Fix cache_peer forceddomain= in CONNECT
* TLS: Handshake Problem during Renegotiation
* Docs: Updated stale Ssl text to make the comment match the code again.
* Fix SSL_get_certificate() problem detection
* Polished cache_peer_access and related documentation.
* Bug 4374: refresh_pattern config parser (%)
* Bug 4373: assertion failed: client_side_request.cc:1709: 'calloutContext->redirect_state == REDIRECT_NONE'
* Make FATAL messages have a consistent prefix
* Add Locker friend class to SBuf for protection against memory issues
* Connection stats, including %<lp, missing for persistent connections
* Fix incorrect authentication headers on cache digest requests
* Bug 4281: copy-paste typos in src/tools.cc
* Bug 4188: Bumping intercepted SSL connections does not work on Solaris
* Avoid errors when parsing manager ACL in old squid.conf
* Bug 4279: No response from proxy for FTP-download of non-existing file
* Bug 3574: crashes on reconfigure and startup
* Bug 4347: compile errors with LibreSSL 2.3
* Align behavior of MEMPROXY_CLASS's operator delete with ::delete on nullptr
* Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size
* Fix cache_peer login=PASS(THRU) after CVE-2015-5400
* Bug 4304: PeerConnector.cc:743 "!callback" assertion.
* Relicense SSPI helper to GPLv2+
* Bug 4208: more than one port in wccp2_service_info line causes error
* Relicense smb_lm auth helper to GPLv2+
* Relicense ntlm_fake_auth.pl to GPLv2+
* SMP: register worker listening ports one by one
* Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules
* Bug 4323: Netfilter broken cross-includes with Linux 4.2
* Cleanup: Migrate StoreEntry to using MEMPROXY_CLASS
* Remove custom pool chunk size for StoreEntry
* Implement default constructor for hash_link
* Bug 4326: base64 binary encoder rejects data beginning with nil byte
* SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
processing
These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service and all
other services on the same machine.
However, the bugs are exploitable only if you have configured a
Squid-3.5 listening port with ssl-bump.
The visible signs of these bugs are a Squid crash or high CPU usage.
Skype is known to trigger the crash and/or a small amount of extra CPU
use unintentionally. Malicious traffic is possible which could have
severe effects.
* Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
The SMB LanMan authentication helper in Squid-3.2 and later has been
rejecting valid user credentials.
Reminder: Use of this helper is deprecated. We strongly recommend
against using it. LanMan authentication gives the illusion of
transmitting NTLM protocol while actually transmitting username and
password with crypto algorithms that can be decoded in real-time (this
helper relies on that ability). The combination makes it overall less
secure than even HTTP Basic authentication.
* TLS: Support SNI on generated CONNECT after peek
When Squid generates CONNECT requests it will now attempt to use the
client SNI value if any is known.
Note that SNI is found during an ssl_bump peek action, so will only be
available on some generated CONNECT. Intercepted traffic will always
begin with a raw-IP CONNECT message which must pass access controls and
adaptations before ssl_bump peek is even considered.
* Quieten UFS cache maintenance skipped warnings
This resolves the log noise encountered since the 3.5.8 release when
large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.
Fix FreeBSD Clang-3.5 build error
Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
Bug 3553: cache_swap_high ignored and maxCapacity used instead
Fix memory leak in Surrogate-Capability header detection
When a RESPMOD service aborts, mark the body it produced as truncated.
Cleanup: fix assertion in Store unit tests
Bug 3696: crash when client delay pools are activated
Bug 4278: Docs: typo in the refresh_pattern freshness algorithm
Bug 4306: build portability fix in Kerberos helpers
Docs: auto-build release notes for snapshots
FtpServer.cc:1024: "reply != NULL" assertion
Work around clang-3.6 complaining of unknown attributes in libxml2
Ignore impossible SSL bumping actions, as intended and documented.
Bug 4242: compile errors with eCAP using clang-3.6
Docs: fix typo in miss_access
Bug 4285 partial: %us is not supported in access.log
Bug 4302: IPFilter v5 transparent interception
Docs: update intercept/tproxy related text
Bug 4301: compile errors with IPFilter interception
Polish: add debug section,level to cache.log
Reject non-chunked HTTP messages with conflicting Content-Length values
Boilerplate: update ignored files
Boilerplate: add Foundation details to rfcnb and smblib documentation files
Cleanup: de-duplicate fake-CONNECT code
Use automake subdir-objects feature
* Bug 4293: wrong SNI sent to server after URL-rewrite
* Add ENABLE_POD2MAN_DOC automake conditional for pod2man builds
* basic_smb_auth: rejecting valid credentials
* basic_smb_auth: doesn't handle passwords with backslashes
* basic_smb_auth: nmblookup fails when smb.conf contaisn WINS servers
* Docs: fix man(8) page syntax for lexgrof tool
* Make pod2man an optional dependency
* Handle exceptions during squid.conf parse
* When SBuf chop()s away everything, always clear the buffer.
* Cleanup: avoid mentioning compiler directives in configure output
* Bug 4251: incorrect instance name for memory segments in /dev/shm
* Bug 3345: Support %un (any available user name) format code for external ACLs.
* AUFS: Raise I/O queue congestion limits
* Improve handling of client connections on shutdown
* Avoid SSL certificate db corruption with empty index.txt as a symptom.
* Errors served using invalid certificates when dealing with SSL server errors.
* IPv6: improve BCP 177 compliance
* Polish debugs on NAT failure
* Fix crash in TcpAccepter with profiler enabled
* Splice to origin cache_peer.
* Bug 4227: invalid key in AuthUserHashPointer causing assertation failure
* ext_edirectory_userip_acl: fix uninitialized variable
* Do not blindly forward cache peer CONNECT responses.
* Bug 3483: assertion failed store.cc:1866: 'isEmpty()'
* Use relative-URL in errorpage.css for SN.png
* Bug 4193: Memory leak on FTP listings
* Bug 4274: ssl_crtd.8 not being installed
* Fix CONNECT failover to IPv4 after trying broken IPv6 servers
* Bug 4183: segfault when freeing https_port clientca on reconfigure or exit.
* TLS: Disable client-initiated renegotiation
* Translations: add Spanish US dialect alias
* Cleanup: replace __DATE__ and __TIME__ macros
* Fix assertion String.cc:221: "str"
* Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone
* Bug 3875: bad mimeLoadIconFile error handling
* Support custom OIDs in *_cert ACLs
* Bug 3329: The server side pinned connection is not closed properly
* Fix X509 server certificate domain matching
* Bug 3775: Disable HTTP/1.1 pipeline feature for pinned connections
* Cleanup: Display correct error code in debugging output for IoCallback::finish
* Cleanup: Fix spelling error in debug message in parseHttpRequest()
* Cleanup: Add whitespace to make debug message in writeComplete() more readable
* Add Kerberos support for MAC OS X 10.x
* Bug 4234: comm_connect_addr uses errno incorrectly
* Fix 'access_log none' to prevent following logs being used
* Unexpected SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates
* Docs: Update CONTRIBUTORS
* Ensure class Lock counter remains within bounds
* Portability: Add hacks to define C++11 explicit N-bit type limits
* Fix SSL_get_peer_certificate memory leak
* Bug 4231 pt2: comm_open_uds does not provide description for newly opened FD
* Bug 4231 pt1: fd_open() not correctly handling empty descriptions
* Negotiate Kerberos authentication request size exceeds output buffer size.
* Do not increment an iterator invalidated by std::map::erase().
* Fix require-proxy-header preventing HTTPS proxying and ssl-bump
* Fix atomics check broken by C++11 #include added in v3.5 branch r13783
* Support for resuming TLS sessions
* Bug 4212: ssl_crtd crashes with corrupt database
* Fix rev.13795 ServerName class
* Add server_name ACL matching server name(s) obtained from various sources
* Bug 4226: digest_edirectory_auth: found but cannot be built
* Invalid request->clientConnectionManager object used by Ssl::PeerConnector::handleNegotiateError
* Bug 4198: assertion failed: client_side.h:364: "sslServerBump == srvBump"
* Fix cross-compile issues with SSL_get_certificate()
* Docs: RFC 7238 obsoleted by RFC 7538
* Boilerplate: reference Translator copyrights in CREDITS
* Cleanup: Place explicit size on ref-count lock counter
* Cleanup: extend SBuf debugging information
* digest_edirectory_auth: Fix -lnettle dependency error
Changes to squid-3.5.2 (18 Feb 2015):
- Regression Bug 4176: Digest auth too many helper lookups
- Regression Bug 4180: not-fully-initialized data member in ACLUserData
- Bug 4172: Solaris broken krb5-config
- Bug 4073: Cygwin compile errors
- Bug 3919: remove several never-true / never-false comparisons
- HTTPS: Add missing root CAs when validating chains that passed internal checks
- Fix some cbdataFree related memory leaks
- Quieten CBDATA 'leak' messages
- Set SNI information in transparent bumping mode
- negotiate_kerberos_auth: fix krb5.conf backward compatibility
- Fix memory leaks in cachemgr.cgi URL parser
- Fix sslproxy_options in peek-and-splice mode
- ... and fix several portability and build issues
- ... and some documentation updates
- ... and all fixes from squid 3.4.11
issues found in the prior Squid releases.
The major changes to be aware of:
* CVE-2014-6270 : SQUID-2014:3 Buffer overflow in SNMP processing
http://www.squid-cache.org/Advisories/SQUID-2014_3.txt
This vulnerability allows any client who is allowed to send SNMP
packets to the proxy to perform a denial of service attack on Squid.
The issue came to light as the result of active 0-day attacks. Since
publication several other attack sightings have been reported.
* CVE-2014-7141 and CVE-2014-7142 : SQUID-2014:4
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
These vulnerabilities allow a remote attack server to trigger DoS or
information leakage by sending various malformed ICMP and ICMPv6
packets to the Squid pinger helper.
The worst-case DoS scenario is a rarity, a more common impact will be
general service degradation for high-performance systems relying on
the pinger for realtime network measurement.
All users of Squid are urged to upgrade to this release as soon as
possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
kerberos_ldap_group: Fix 'error during setup of Kerberos credential cache'
Ignore Range headers with unidentifiable byte-range values
Use v3 for fake certificate if we add _any_ certificate extension.
Fix regression in rev.13156
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
Enable compile-time override for MAXTCPLISTENPORTS
ntlm_sspi_auth: fix various build errors
negotiate_wrapper: vfork is not portable
Windows: fix iphlpapi.h include case-sensitivity
Windows: correct libsspwin32 API for SSP_LogonUser()
negotiate_sspi_auth: Portability fixes for MinGW
ext_lm_group_acl: portability fixes for MinGW
SourceFormat Enforcement
Bug 4080: worker hangs when client identd is not responding
Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC.
Reduce cache_effective_user was leaking $HOME memory
Docs: external_acl_type documentation lies for cache=n option
Non https connectiona on SSL-bump enabled port may stuck
Do not leak implicit ACLs during reconfigure.
Assure that when LruMap::memLimit_ is set to 0 no entries stored on LruMap
Portability: use 64-bit for X-Cache-Age header
Windows: fix various libip build issues
Windows: rename TcpLogger::connect
Windows: rename ConnOpener::connect
Change order of BSD-specific network includes so that they are properly picked up
Do not leak ex_data for SSL state that survived reconfigure.
Do not register the same Cache Manager action more than once
Fix leaked TcpAcceptor job on reconfiguration
Fix leak of ACLs related to adaptation access rules
Bug 4056: assertion MemPools[type] from netdbExchangeStart()
Bug 4065: round-robin neighbor selection with unequal weights
Bug 4050: Segfault in CommSelectEngine::checkEvents on helper response
Fix segfault setting up server SSL connnection
Regression: segfault logging with %tg format specifier
SourceFormat Enforcement
* Logformat annotation fixes
* Resolve 'dying from an unhandled exception: c'
* Fix order dependency between cache_dir and maximum_object_size
* Bug 4051: fix inverted test on CONNECT payload existence
* Avoid assertions on Range requests that trigger Squid-generated errors.
* Protect MemBlob::append() against raw-space writes
* Copyright: Relicense helpers by Treehouse Networks Ltd.
* Portability: define CMSG related structures individually
* Fix helper ID number assignment
* Fixed stalled concurrent rock store reads by insuring their ID uniqueness.
* Bug 3186, Bug 3628: Digest authentication always sending stale=false for nonce
* dynamic_cert_mem_cache_size option related fixes
* Fix umask default on crash report generated email
* Fix pthread library detection on FreeBSD 10
* Bug 4029: intercepted HTTPS requests bypass caching checks
* Bug 4026: SSL and adaptation_access does not handle aborted connections
* Bug 4001: remove use of strsep()
* Move compat/unsafe.h protections from libcompat to source maintenance
* Bug 3969: user credentials cache lookup for Digest authentication broken
* Various fixes to configure for FreeBSD 10
* Regression Bug 3769: client_netmask not evaluated since Comm redesign
* Added missing header in client_side_reply.cc for clang
* Bug 3498: FTP PUT assertion Server.cc:246: 'r->body_pipe != NULL'
* Bug 3985: 60s limit introduced by balance_on_multiple_ip breaks bad IP recovery
* Fix \-unescaping in quoted strings from helpers
* WCCPv2: fix assertion 'Cannot convert non-IPv4 to IPv4' on FreeBSD
* Fix missing cast in rev.13162
* Bug 3980: FATAL ERROR due to max_user_ip -s option
* Fix linker errors "relocation R_X86_64_32 against .rodata"
* Regression in URL helper API
* Bug 3806: Caching responses with Vary header
* Set sslcrtvalidator_children concurrency option default value to 1
* Release notes: update HTML version
* Bug 3589: intercepted and ICAP modified request using a cache_peer
* OpenBSD portability fix in DiskThreads
* Bug 3935: Invalid pointer dereference when peeking at origin server certificate
* Destroy ACLs in the reverse order of creation to avoid destruction segfaults
* Portability: sleep() is sometimes a macro
* Windows: fix compile errors in WinSvc.cc
* Portability: std::string:npos is not always appropriate for String::npos
* Portability: refresh_pattern requires regex
* librfcnb: portability fixes
* Fix more of rev.12660
* Protect aclIsProxyAuth() debugging from NULL names (via NULL AclMatchedName).
* Bug 3972: Segfault when getting the deny info page ID after a reconfigure
* Fix mistake in porting rev.12660
* Bug 3782: Digest authentication not obeying nonce_max_count
* Bug 3970: max_filedescriptors disabled due to missing setrlimit
* Bug 3967: ipc/Kid.cc compilation failure: 'time' was not declared in this scope
* Re-compute Range response content offset after an FTP response was adapted.
* Source Maintenance: re-add snapshot script to branch
* Bug 3960: Dead Peers Are Not Revived
* Windows: Fix aclocal "is already registered" errors
* Windows: Ensure array index is an integer in C code
* Bug 3956: xstrndup: tried to dup a NULL pointer
* Make HTTP header parser obey relaxed_header_parser
* SourceFormat Enforcement
* Replace blocking sleep(3) and close UDS socket on failures.
* Bug 3936: error-details.txt parse error
* Bug 3906: Filedescriptor leaks in SNMP
* kerberos_ldap_group: fix LDAP string duplication
* Avoid "hot idle": A series of rapid select() calls with zero timeout.
* Bug 3887: tcp_outgoing_tos not working for IPv6
* Fix cbdata 'error: expression result unused' errors
* Have testRock use cachemgr stubs
* Bug 3836: Fix issues with automake 1.13 and later and make check (extra)
* Bug 3836: Fix issues with automake 1.13 and later and make check
* Append Connection:close to OPTIONS requests when icap_persistent_connections is off.
* Add cache_miss_revalidate
* Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
* Fix CBDATA_CLASS2 macro definition
* libntlmauth: Fix string field truncation
* ntlm_fake_auth: pass DOMAIN data to Squid in original case
* Fix SQUID_CC_CHECK_ARGUMENT autoconf macro
* Polish: better WARNING when workers directive is ignore on reconfigure.
* Use IPv6 localhost nameserver on DNS configuration errors
* Bug 3923: cbdata and undefined behavior due to dynamic runtime enumeration
* Polish: report bytes received when bad content-length detected by quick-abort
* Bug 3918: Squid 3.3.9 Self Test Failures on Mac OS X 10.8
* Bug 3929: request_header_add not working for tunnel requests
* Fix pinning hierarchy log information
* Close idle client connections associated with closed idle pinned connections.
* Protect against buffer overrun in DNS query generation
* SourceFormat Enforcement
* Bug 3297: Fix openSSL related build failures
* Fix build on FreeBSD 9.x platform with clang
Bug 3762: remove bogus WARNING in cache.log
Fix Ip::Address::operator =(sockaddr_storage)
Make sure %<tt includes all [failed] connection attempts.
Bug 3854: pt1: compile errors on AIX
Fix request headers logging for icap_log
Support HTTP reply ACLs in icap_log and log_icap
Bug 3802: Fix wrong check inside Format::Format::assemble
Bug 3786: Fix configure with --disable-internal-dns compile error
Polished icap_service and ecap_service documentation.
SourceFormat Enforcement
Bug 3717: assertion failed with dstdom_regex with IP based URL
Fix incorrect external_acl_type codes
Avoid segfaults on seriously malformed requests when ICAP logging is enabled.
Ask for SSL key password when started with -N but without sslpassword_program.
basic_ncsa_auth: fix unused variable warnings (typo in rev.12762)
Fix buffer null termination
Bug 1991: kqueue causes SSL to hang
* Add and Update PKG_OPTIONS related to storage backend.
- squid-backend-null: "null" type of storage backend had been deperecated.
- Add squid-backend-rock.
- Revive squid-backend-aufs.
Bump PKGREVISION.
Docs: document ConnOpener::swanSong() better
Bug 3329: Quieten orphan Comm::Connection messages
Sync TESTDIR names used by testCoss and testUfs with testRock changes.
MacOS: reduce the testRock unit test UDS path
Bug 3720: SourceLayout: shuffle fd_table definition into fde.h
Bug 3794: MacOS: workaround compiler errors and case-insensitivity
Polish debugs in cacheability test
Bug 3753: Removes the domain from the cache_peer server pconn key
Bug 3781: Proxy Authentication not sent to cache_peer
Bug 3763: diskd Error: no filename in shm buffer
Solaris: Fix xstrto*() function linkages
Mentioned creation of diskers in cache_dir rock documentation.
Fix coverity scan issue 740457: unsecure temporary file creation
Bug 3686: cache_dir max-size default fails
Bug 3752: objects that cannot be cached in memory are not cached on disk if cache_dir max-size is used.
The most important of these new features are:
* SQL Database logging helper
* Time-Quota session helper
* SSL-Bump Server First
* Server Certificate Mimic
* Custom HTTP request headers
