Compile time warnings when using GCC-3.3
synopsis GCC-3.3 gets slightly confused by the Squid code and gives a
few mostly false warnings regarding type-punning.
severity Cosmetic
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-gcc-3_3.patch
workaround Ignore the warnings
aufs Files queued for open counter mismatch
synopsis Under certain conditions the "Files queued for open counter"
could grow larger than intended. If this grows too large then
Squid may think it runs out of filedescriptors even if there is
plenty of filedescriptors free, but we do not expect this to
become a real problem in any installations.
severity Minor
versions Squid-2.5 and earlier
platforms All using aufs
patch squid-2.5.STABLE3-aufs-openingfds.patch
external_acl does not wait for ident lookups to complete
synopsis extrenal_acl_type %IDENT does not wait for ident lookups to
complete.
severity Minor
bugzilla #683
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-external_acl_ident.patch
workaround use an ident acl before your external acl to trigger the ident
lookup
Compilation error in src/HttpHeaderTools.c on certain platforms
synopsis The Squid-2.5.STABLE2 patch for digest authentication used a
C99 feature (dynamic array initializers) which may not be
available in all C compilers
severity Minor
bugzilla #660
versions Squid-2.5.STABLE3
platforms Several platforms not using GCC or a C99 compliant C compiler
patch squid-2.5.STABLE3-HttpHeaderTools.patch
workaround Use GCC
Segmentation fault if more than one custom deny_info message defined
synopsis The Squid-2.5.STABLE2 patch for deny_info TCP_RESET was not
entirely correct and causes segmentation fault on startup if
more than one custom deny_info error message is defined
severity Minor
bugzilla #662
versions Squid-2.5.STABLE3
platforms All
patch squid-2.5.STABLE3-deny_info.patch
workaround Disable the use deny_info in your squid.conf.
Changes to squid-2.5.STABLE3 (25 May 2003):
- Bug #573: Occational false negatives in external acl lookups
- Bug #577: assertion failed: cbdata.c:224: "c->y == c" when
external_acl helpers crashes
- Bug #590: Squid may hang or behave oddly on shutdown while
requests is being processed.
- Bug #590: external acl lookups does not deal well with queue
overload
- cache_effective_user documentation update
- cache_peer documentation update for htcp and carp
- Bug #600: The example header_access paranoid setting is
missing WWW-Authenticate
- Bug #605: Segmentation fault in idnsGrokReply() on certain
platforms
- Fixes to build properly on AIX 5
- Bug #574: wb_group updated to version 1.1 to make group names
case insensitive and correct a segfault issue in the helper
- SNMP mib updates to make cacheNumObjCount,
cacheCurrentUnlinkRequests, cacheCurrentSwapSize and cacheClients
correctly report as gauges (was reporting as counters).
- Woraround for --enable-ssl Kerberos issue on RedHat 9
- Bug #579: Close and repopen log files on "squid -k reconfigure"
- Bug #598: squid_ldap_auth could segfault if LDAP server is
unavailable
- Bug #609,#612: msntauth helper fixes in dealing with large
or non-existing allow/deny user files.
- Bug #620: acl ident REQUIRED matches even if the ident lookup fails
- Bug #432: reply_body_max_size fails with ident or proxy_auth acls
and also fails to block large objects where the content-length
is not known
- Bug #606: Basic auth looping and gets stuck at high CPU usage when
multiple proxy_auth ACLs combined in one line and login fails.
- squid_ldap_auth updated with support for TLS and SSL
- Bug #623: segfault if using negated external acls in certain
configurations involving other acls later on the same http_access
line.
- Bug #622: wb_group helper update to version 1.2 to ass support for
Domain-Qualified groups refering to groups in a specific domain
- Bug #596: logic error in poll() error management
- Bug #597: logic errors in error management
- Bug #591: segmentation fault in authentication on "squid -k debug"
- Bug #587: smb_auth fails on complex logins involving domain names
or other odd characters
- Bug #558, #587: smb_auth.pl fails on complex logins involving
domain names or other odd characters
- Bug #643: external_acl fails with ttl=0 due to a change introduced
by the patch for Bug #553 in 2.5.STABLE2.
- Bug #630: minor issues in digest authantication causing random
authentication failures and incompability with many mainstream
browser digest implementations due to browser qop bugs. To deal
with those broken browser nonce_stricness now defaults to off,
and two new digest options have been added (check_nonce_count
and post_workaround) to allow workarounds to other quite bad
browser bugs if needed.
- Bug #644: digest authentication fails on requests with one
or more comma in the requested URL
- Bug #648: deny_info TCP_RESET not working. The fix for this also
adds the ability to send redirects.
- Don't left share/doc/squid directory on deinstall.
- Apply recent 12 official patches.
- (Minor) deny_info TCP_RESET does not work
- (Minor) Digest authentication fails on URLs with comma
- (Minor) digest nonce count workarounds for broken browsers
- (Minor) external_acl hangs if defined with ttl=0
- (Minor) smb_auth.pl (multi-domain-NTLM) fails on domain qualified logins
- (Minor) smb_auth fails on complex logins (involving domain names or odd
characters)
- (Minor) ACL regression error introduced by earlier 2.5.STABLE2 patch
- (Cosmetic) segmentation fault in authentication if debugging enabled
- (Cosmetic) Unreachable code due to siged/unsigned errors
- (Minor) logic error in comm_select.
- (Minor) wb_group update to 1.2 to add support for domain qualified goups
- (Minor) Segmentation fault when using negated external acls
Apply newer offcial patches (total 19). Here is short summary of those
newly added patch files.
See http://www.squid-cache.org/Versions/v2/2.5/bugs/ in detail.
o squid_ldap_auth update to support TLS, SSL and increased security for bind
password
o Basic auth looping when multiple proxy_auth ACLs combined in one line.
o reply_body_max_size fails with ident or proxy_auth acls
o acl ident REQUIRED matches even if the ident lookup fails
o msntauth helper crashes related to the alow/deny file operation
o LDAP basic authentication crash if server is unreachable
o "squid -k reconfigure" does not close logs to activate new settings
o --enable-ssl fails on RedHat 9
o SNMP MIB used Counter32 for certain values which are gauges
o Upgrade of wb_group to 1.1
o AIX 5 issues
o egmentation fault in idnsGrokReply() on certain platforms
synopsis A bug in how Squid processes certain DNS
replies can cause segmentation faults on
certain platforms. Linux and FreeBSD on X86
platforms seems unaffected however.
severity Major
bugzilla #605
versions Squid-2.5 and earlier
platforms Solaris SPARC and several other
patch squid-2.5.STABLE2-dns_root_label.patch
workaround Recompile squid with --disable-internal-dns
o The example header_access paranoid setting is missing WWW-Authenticate
synopsis The paranoid header_access example is missing
WWW-Authenticate, and thereby unintentionally
denying authentication to web sites if used
without modifitaions.
severity Cosmetic
bugzilla #600
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-header_access_paranoid.patch
- Squid may hang or behave oddly on shutdown while requests is being processed.
synopsis Squid may hang or otherwise behave oddly in shutdown
if there is new requests processed at the same
time. On shutdown Squid internally shut down DNS,
redirectors and external acls while still processing
new requests already received. In combination with the
external acl queue overload bug this can completely
hang Squid, preventing it from shutting down.
severity Minor
bugzilla #590
versions Squid-2.5 and earlier
platforms All
- external acl lookups does not deal well with queue overload
synopsis If there is a queue overload for external acl lookups
then Squid logs "externalAclLookup: 'xxx' queue
overload" at a very high rate in cache.log until the
condition clears up.
severity Major
bugzilla #590
versions Squid-2.5
platforms All
- cache_effective_user documentation unclear
synopsis The cache_effective_user/group documentation was
unclear on what happens if only one of the directives
is set, or when Squid is started as a non-root user.
severity Cosmetic
versions Squid-2.5 and earlier
platforms All
- cache_peer documentation missing for htcp and carp
synopsis The cache_peer documentation for the htcp and carp
related options was missing
severity Cosmetic
versions Squid-2.5 and earlier
platforms All
pkgsrc change: install some supplemental documents.
Changes to squid-2.5.STABLE2 (Mars 17, 2003):
- Contrib files added back to the distribution
- Several compiler warnings fixed when using --disable-ident or
--disable-http-violations
- authentication can now be used in most access controls, but
must in most cases first be enforced in http_access to force
the user to authenticate.
- cleanups in the developer bootstrap.sh process when preparing
the sources.
- several squid.conf.default documentation updated to correctly
refer to the current names when refering to other directives
- authenticate_ip_ttl documentation updates
- several assertion faults and segmentation violations corrected
- the RunCache/RunAccel and squid.rc scripts updated to refer to
the squid binary in sbin rather than the old bin location.
- squid_ldap_auth command line processing fixes when specifying
the LDAP server last on the line instead of -h option
- aufs data corruption bugfix
- aufs performance improvement for low traffic systems
- aufs stability improvements
- external_acl corrected to properly deal with quoted strings
- WCCPv1 bugfix to make sure the router accepts the hash assignments
- "Total accounted memory" now correctly reported in cachemgr
- several small memory leaks (mostly reconfigure related)
- new squid.conf option to allow GET/HEAD requests with a request
entity
- "make uninstall" no longer removes squid.conf
- cachemgr.cgi now uses POST to avoid having the cachemgr password
logged in the web server logs
- authentication schemes which are known to not be proxyable are now
filtered out from forwarded server replies to avoid that the clients
tries to use such schemes when we know for a fact it won't work
- spelling corrections in various error messages
- now possible to define acl values with spaces in them
by using the "include file" feature
- squid_ldap_group updated to 2.10 to fix compilation issues with
recent (and older) OpenLDAP libraries and to make the helper deal
correctly with true LDAP groups by first looking up the user DN.
- Some internal code cleanups
- now verifies that programs etc exists iside the chroot directory
when using chroot_dir. No longer neccesary to set up a split view
environment where the same paths works both inside the chroot and
outside just to convince Squid that the files is actually there..
- improved memory usage reporting
- --disable-hostname-checks configure option
- no longer ignores double dots in host names. Any hostname with
double dots is now rejected as invalid.
- log_mime_hdrs no longer logs garbage if very long headers
are seen.
- 'select_fds_hist' object added to cachemgr 'histogram' output
- pid file now unlinked when squid has really shut down, not
immediately when the shutdown request is received. This allows
the pid file to be monitored to determine when Squid has shut down
properly
- correct authentication scheme setups on some platforms or compilers
- several squid.conf.default documentation updates to remove references
to renamed or replaced directives by changing them to their current
names.
- the SSL reverse proxy support updated to allow building with
OpenSSL 0.9.7 and and later.
- Corrected a minor performance problem while processing HEAD replies
from various broken web servers not sending a correct HTTP reply
- time acls can now specify multiple times in the same acl name, like
most other acl types.
- winbind helpers updated to match Samba-2.2.7a and should
work with Samba-2.2.6 or later (required). For compability with
older Samba versions A new configure option --with-samba-sources=...
has been added to allow you to specify which Samba version the
helpers should be built for if different than the above versions.
- Squid MIB definition syntax correction to work better with newer
(and older) SNMP tools.
- Fixed access.log format when logging "error:invalid-HTTP-ident" on
requests where parsing the HTTP identifier (HTTP/1.0) failed.
- "make distclean" no longer removes the icons, this avoids the
dependency on "uudecode" to rebuild Squid after "make distclean"
- User name returned by external acl lookups (external_acl_type)
is now available as "ident" in later acl checks in addition to
the logging in access.log.
- Incorrect behaviour of Digest authentication partly corrected - it
will not handle sessions, but will always enforce password
correctness.. (patch submitted by Sean Burford).
- Issue with persistent connections and PUT/POST request corrected
- include more official squid patches.
o Make external_acl user names available as IDENT in later acl processing
o digest authentication security issue
o external_acl Assertion failed: auth_user_request != NULL
o make install fails to install icons after make distclean
o "error: invalid HTTP-ident" breaks log processing
since it is broken (reported to squid-bugs@squid-cache.org.)
- use DIST_SUBDIR.
- bump PKG_REVISION.
These patches fixes those problem. See
<http://www.squid-cache.org/Versions/v2/2.5/bugs/> in detail.
o Squid MIB definition syntax error
o winbind helpers fail to work with Samba 2.2.6 or later
o CONNECT data corruption if client pipelines data before 200 OK reply
o time acls only accept a single time
o Client performance issue with HEAD requests to certain servers
o --with-ssl fails to compile with OpenSSL 0.9.7 or later
o Slow filedescriptor leak for /etc/hosts
o Warn if cachemgr_passwd is specified more than once for the same action
o assertion failed: forward.c:96: "fwdState->err" on shutdown
o Compilation fails if incorrect --with-auth-threads=NN option is given
o squid.conf documentation still refers to authenticate_program
o authenticateAuthenticate: no connection data, cannot process
authentication
o delay_pools example does not match text
o cachemgr helper stats cleanup
o Segmentation fault after ftpDataWriteCallback
o Issues with auth scheme configurations
o Removed Cachable stats "no.non_get"
o unclear documentation of http_reply_body_max_size
o The pid file was removed too early in the shutdown process
o select loops statistics incorrect when using select()
o Added select filedescriptor histogram output to cachemgr
o Duplicate assignment of sc->copy_offset
o mem_pool_free_calls should be printed as a unsigned integer
o Internal cleanup of peer selection accounting
o log_mime_hdrs can show garbage in the access log on overly long request
headers
o Improved memory usage statistics via sbrk
o Hostname cleanups performed by Squid
o cachemgr failure_ratio is a ratio, not percentage
o offline_toggle cachemgr documentation
o squid_ldap_group update to version 2.10
o Documentation update to remove stale reference to Squid-1.1 release notes
o further safeguards for aufs compilation problems when not using
--enable-pthreads
o chroot_dir complains about all paths in squid.conf
o Segfault when using -S in combination with cache_dir coss/null
o Stale cached data miss in offline_mode
o Sometimes crashes while rebuilding dirty cache directories
o RunCache/RunAccel scripts still looks for squid in bin
o poor performance when using aufs
o squid_ldap_group link failure
o assertion failed: comm.c:646: "F->flags.open"
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
- Apply disabled official patch since the patch's content has corrected.
* Impossible to define acls with spaces in them
- Remove "@unexec ${RMDIR} %D/etc/squid ..." line from PLIST since
there is already removing directory line which use more generic
PKG_SYSCONFDIR variable.
Apply official patches:
* Small typo in dnsserver error message on DNS overload
* Filter out unproxyable authentication schemes
* cachemgr login & password revealed in HTTP server log files
* make uninstall removes squid.conf
* Segmentation fault if a external_acl helper exits prematurely
* Squid rejects GET/HEAD with request entities claimint error 411
* external_acl.c compilation failure
* memory leak of acl structures on "squid -k reconfigure"
* Occasional corruption of objects when using aufs
* Cachemgr "Total accounted:" memory statistics always report "-1"
* WCCP hash assignment can sometimes be missed by the router
* external_acl helper problem with spaces
* --enable-async-io or --with-storeio=aufs fails to automatically enable --with-pthreads
* "make addlang" fails
* Specifying LDAP servers last on the command line does not work
* Referer log not closed on shutdown
* Many files missing from the contrib directory
But the most recent patch isn't included since it content seems to be
broken.
* Impossible to define acls with spaces in them
to OPTIONAL_FILES in Makefile.
This fix a problem when setting SQUID_CONFIGURE_ARGS in /etc/mk.conf
without --enable-external-acl-helpers=unix_group.
Noted by private mail from Tomasz Luchowski <tomasz at luchowski.com>.
http://www.squid-cache.org/Versions/v2/2.5/bugs/.
Now try to install more authentication modules, but those modules
should be handled by proper frame work (Curretly, SASL modules
aren't handled).
Changes to squid-2.5 ():
- Major rewrite of proxy authentication to support other schemes
than basic. First in the line is NTLM support but others can
easily be added (minimal digest is present). See Programmers Guide.
(Robert Collins & Francesco Chemolli)
- Reworked how request bodies are passed down to the protocols.
Now all client side processing is inside client_side.c, and
the pass and pump modules is no longer used.
- Optimized searching in proxy_auth and ident ACL types. Squid should
now handle large access lists a lot more efficiently.
(Francesco Chemolli)
- Fixed forwarding/peer loop detection code (Brian Degenhardt) -
now a peer is ignored if it turns out to be us, rather than
committing suicide
- Changed the internal URL code to obey appendDomain for internal
objects if it needs appending. This fixes weirdnesses where
a machine can think it is "foo.bar.com", and "foo" is requested.
(Brian Degenhardt)
- Added the use of Automake to create the Makefile.in's in the squid
source tree. This will allow libtool in the future, and immediately
allows better dependency tracking - with or without gcc - as well
as the dist-all and distcheck targets for developers which respectively
build a tar.gz and a tar.bz2 distribution, and check that what will be
distributed builds.
- Added TOS and source address selection based on ACLs,
written by Roger Venning. This allows administrators to set
the TOS precedence bits and/or the source IP from a set of
available IPs based upon some ACLs, generally to map different
users to different outgoing links and traffic profiles.
- Added 'max-conn' option to 'cache_peer'
- Added SSL gatewaying support, allowing Squid to act as a SSL server
in accelerator setups.
- SASL authentication helper by Ian Castle
- msntauth updated to v2.0.3
- no_cache now applies to cache hits as well as cache misses
- the Gopher client in Squid has been significantly improved
- Squid now sanity checks FTP data connections to ensure the
connection is from the requested server. Can be disabled if
needed by turning off the ftp_sanitycheck option.
- external acl support. A mechanism where flexible ACL checks
can be driven by external helpers. See the external_acl_type
and acl external directives.
- Countless other small things and fixes
- HTML pages generated by Squid or CacheMgr as well as the
ERR documents now contain a doctype declaration so that
browsers know which HTML specification the document uses.
In addition to that they have a new look (background-color, font)
and are valid according to the HTML standards at www.w3.org.
(Clemens Löser)
- Login and password send to Basic auth helpers is now URL escaped
to allow for spaces and other "odd" characters in logins and
passwords
- Proxy Authentication is no longer blindly forwarded to peer
caches if not used locally. If forwarding of proxy authentication
is desired then it must now be configured with the login=PASS
cache_peer option.
- Responses with Vary: in the header are now cached by squid.
(Henrik Nordstrom).
- Removed unused 'siteselect_timeout' directive.
2.4STABLE6:
- Squid now drops any requests using transfer-encoding.
Squid is a HTTP/1.0 proxy and as such do not support
the use of transfer-encoding.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
- Minor changes to support Apple MAC OS X and some other platforms
more easily.
- The client -T option has been implemented
- HTCP related bugfixes in "squid -k reconfigure"
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- FTP data channels are now sanity checked to match the address of
the requested FTP server. This to prevent theft or injection of
data. See the new ftp_sanitycheck directive if this is not desired.
- Security fixes in how Squid parses FTP directory listings into HTML
Remove `-p' from mkdir arguments, it is already part of ${MKDIR}.
While here substitute a couple of ${PREFIX} by `%D' in
`@exec ${MKDIR} ...' lines and add a couple of missing `%D' in such lines too!
This fixes squid's potential security problem.
Changes to Squid-2.4.STABLE6 (March 19, 2002):
- The patch for 2.4.STABLE5 was insufficnetly tested and
introduced a bug that causes frequent assertions when
handling DNS PTR answers.
Changes to Squid-2.4.STABLE5 (March 15, 2002):
- Fixed an array bounds bug in lib/rfc1035.c. This bug
could allow a malicious DNS server to send bogus replies
and corrupt the heap memory.
2.4STABLE3:
- htcp_port 0 now properly disables htcp
- Fixed problem with certain non-anonymous ftp:// style URL's
- SNMP bugfixes including several memory leaks
- replace a hack adding fd_mask definition in autoconf.h with re-writing
configure script. It cause to run configure twice and result "no fd_mask".
- Incorporate three official patches from
http://www.squid-cache.org/Versions/v2/2.4/bugs/.
o SNMP memory leaks
synopsis
The SNMP implementation in Squid had several memory leaks
possibly causing an denial of service.
workaround
Disable the SNMP port if enabled by using "snmp_port 0" in
squid.conf. Or if you only use SNMP for MRTG data
collection running on the same host then use
"snmp_incoming_address 127.0.0.1" to limit reachability
of the SNMP port to only localhost or some other trusted
network.
o Coredump on certain ftp:// style URL's
synopsis
If certain constructed ftp:// style URL's are received then
squid crashes, causing a denial of service and maybe even
remote execution of code.
workaround
Deny forwarding of non-anonymous FTP URLs by inserting
the following rules at the top of squid.conf, prior to
any http_access allow lines.
acl non_anonymous_ftp url_regex -i ftp://[^/@]*@
http_access deny non_anonymous_ftp
o "htcp_port 0" fails to disable the HTCP port
synopsis
"htcp_port 0" fails to completely disable the HTCP port as
documented in squid.conf, instead HTCP will be listening on
a random port number.
from "Ciarcinski, Adam \(ISS Brussels\)" <ACiarcinski@iss.net>.
From ChangeLog:
Changes to Squid-2.4.STABLE3 (Nov 28, 2001):
- Fixed bug #255: core dump on SSL/CONNECT if access denied by
miss_access
- Fixed bug #246: corrupt on-disk meta information preventing
rebuilds of lost swap.state files
- Fixed bug #243: squid_ldap_auth now supports spaces in passwords
- Fixed a coredump when creating FTP directories
- Fixed a compile time problem with statHistDump prototype mistmatch,
reported by some compilers
- Fixed a potential coredump situation on snmpwalk in certain
configurations
- Fixed bug #229: filedescriptor leakage in the "aufs" cache_dir
store implementation
- Serbian error message translations
I added following changes, too.
o honor PKG_SYSCONFDIR keep SQUID_SYSCONFDIR effective.
o Add --disable-internal-dns. This made external dnsserver
available. External dnsserver could be disabled with configuration
file.
o Enable optimization with "-O".
o Fix a problem to access nat device when transparent proxy enabled.
This fix will be contained in squid 2.5 release.
o setproctitle() hack for external dnsserver from daemonnews's article.
installed into "etc/squid" (and are not moved arround after installation).
The message of the install script matches the actual layout again and is
adapted to changes to "SQUID_SYSCONFDIR".
