pkgsrc change:
o set DIST_SUBR to ${PKGNAME}.
Changes:
o 2004-06-07 21:25 (Cosmetic) Negative size in access.log on long
running CONNECT requests
o 2004-06-08 11:01 (Major) Segmentation fault after
"Likely proxy abuse detected"
o 2004-06-18 17:39 (Security issue) Overflow bug in Squid's ntlm_auth helper.
Note: currently below patch isn't applied since it is broken and I'm
not sure how it shold be corrected. I wish it would fixed
before tagging pkgsrc-2004Q2.
o 2004-06-08 11:42 (Minor) sasl_auth doesn't compile with SALS2
Bug #753: va_copy required
Bug #995: segfault on long URLs (bug in previous patch to Bug #753)
And reduce offset from pkgsrc's patches.
Bump package revision.
* 2004-06-01 08:38 (Medium) Segfault in memBufVPrintf on certain
architectures requiring va_copy
* 2004-06-01 00:00 (Cosmetic) msnt_auth documentation update
* 2004-05-31 23:37 (Cosmetic) dns_servers should default to localhost
if no resolv.conf
* 2004-05-31 23:37 (Cosmetic) FTP directory listing HTML DOCTYPE misread
by some tools
* 2004-06-01 08:26 (Minor) fix compilation on OpenBSD/m88k
* 2004-05-31 22:59 (Cosmetic) Show client ip in cache.log debug output
* 2004-05-31 22:43 (Minor) cacheCurrentUnlinkRequests should be a counter,
not gauge
* 2004-05-31 22:08 (Minor) store_dir_select_algorithm least-load doesn't
work for ufs cache_dir type
* 2004-05-31 21:32 (Cosmetic) Very large cache_mem values reported wrongly
in cache.log
o 2004-03-11 15:29 (Cosmetic)
Helper queue warnings inprecice on the number of helpers required
o 2004-03-12 10:13 (Cosmetic)
Add pkg-config support for finding correct OpenSSL compile flags
o 2004-03-19 09:02 (Medium) "Vary: *" is ignored
o 2004-03-19 09:12 (Minor) 100% CPU usage on Linux-2.2
o 2004-03-19 09:17 (Cosmetic)
Version number includes -CVS if autoconf is run
o 2004-03-29 09:47 (Minor)
deny_info redirection with requested URL escaped wrongly
o 2004-03-29 10:02 (Minor) CONNECT timeout should produce a 504 or 503
o 2004-04-03 13:54 (Cosmetic)
cache_swap_log documentation referred to swap.state by it's old
swap.log name
o 2004-04-06 14:12 (Cosmetic)
ntlm/auth_ntlm.c(683): warning #187: use of "=" where "==" may
have been intended
o 2004-04-11 09:19 (Medium) rfc1035NameUnpack: Assertion (*off) < sz failed
o 2004-04-18 01:33 (Major)
Segment violation when using a blank user name in digest authentication
o 2004-04-18 23:46 (Medium)
assertion failed: errorpage.c:292: "mem->inmem_hi == 0"
o 2004-04-20 12:30 (Cosmetic)
Spelling corrections in configure and squid.conf.default
o 2004-04-20 12:38 (Cosmetic)
Clarify meaning of ERR in digest helper protocol
o 2004-04-20 12:38 (Cosmetic)
Spelling error in Turkish ERR_DNS_FAIL
o 2004-04-24 14:10 (Minor)
Negative cached 404 replies with VARY header never matches
o 2004-04-30 00:01 (Minor)
range_offset_limit -1 KB rejected as invalid syntax
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
Most of these changes from 2.5.STABLE4 to 2.5STABLE5 are already applied
in previous squid-2.5.4nb8 package.
Changes to squid-2.5.STABLE5 (1 Mar 2004):
- cache.log message on "squid -k reconfigure" was slightly confusing,
claiming Squid restarted when it just reread the configuration.
- Bug #787: digest auth never detects password changes
- Bug #789: login with space confuses redirector helpers
- Bug #791: FQDNcache discards negative responses when using
internal DNS
- pam_auth fails on Solaris when using pam_authtok_get. Persistent
PAM connections are unsafe and now disabled by default.
- auth_param documentation clarifications and added default realm
values making only the helper program a required attribute
- Bug #795: German ERR_DNS_FAIL correction
- Bug #803: Lithuantian error messages update
- Bug #806: Segfault if failing to load error page
- Bug #812: Mozilla/Netscape plugins mime type defined (.xpi)
- Bug #817: maximum_object_size too large causes squid not to cache
- Bug #824: 100% CPU loop if external_acl combined with separate
authentication acl in the same http_access line
- squid_ldap_group updated to version 2.12 with support for ldaps://
(LDAPv2 over SSL) and a numer of other improvements.
- Bug #799: positive_dns_ttl ignored when using internal DNS.
- Bug #690: Incorrect html on empty Gopher responses
- Bug #729: --enable-arp-acl may give warning about net/route.h
- Bug #14: attempts to establish connection may look like syn flood
attack if the contacted server is refusing connections
- errorpage README files included in the distribution again showing
who contributed which translation
- Bug #848: connect_timeout connect_timeout ends up twice the length.
forward_timeout option added to address this.
- Bug #849: DNS log error messages should report the failed query
- Bug #851: DNS retransmits too often
- Bug #862: Very frequently repeated POST requests may cause a
filedescriptor shortage due to persitent connections building up
- Bug #853: Sporatic segmentation faults on aborted FTP PUT requests
- Bug #571: Need to limit use of persistent connections when
filedescriptor usage is high
- Bug #856: FTP/Gopher Icon URLs are unneededly complex and often
does not work properly
- Bug #860: redirector_access does not handle "slow" acls such as
"dst" or "external" requiring a external lookup.
- Bug #865: Persistent connection usage too high after sudden burst
of traffic.
- Bug #867: cache_peer max-conn=.. option does not work
- Bug #868: refuses to start if pid_filename none is specified
- Bug #887: LDAP helper -Z (TLS) option does not work
- Bug #877: Squid doesn't follow telnet protocol on FTP control
connections
- Bug #908: Random auth popups and account lockouts when using ntlm
- Support for NTLM_NEGOTIATE exchanges with ntlm helpers
- Bug #585: cache_peer_access fails with NTLM authentication
- Bug #592: always/never_direct fails with NTLM authentication
- wbinfo_group update for Samba-3
- Bug #892: helpers/ntlm_auth/SMB/ fails to compile on FreeBSD 5.0
- Bug #924: miss_access restricts internal and cachemgr requests
even if these are local
- Bug #925: auth headers send by squidclient are mildly malformed
- Bug #922: miss_access and delay_access and several other
authentication related bug fixes.
- Bug #909: Added ARP acl support for FreeBSD
- Bug #926: deny_info with http_reply_access or miss_access
- Bug #872: reply_body_max_size problems when using NTLM auth
- Bug #825: random segmentation faults when using digest auth
- Bug #910: Partial fix for temporary memory leaks when using NTLM
auth. There is still problems if challenge reuse is enabled.
- ftp://anonymous@host/ now accepted without requiring a password
- Bug #594: several mime type updates (ftp:// related)
- url_regex enhanced to allow matching of %00
And two official patches' changes.
assertion failed: helper.c:323: "srv->flags.reserved"
synopsis If using ntlm authentication then Squid may
randomly abort with the above assertion
failure if a request is aborted while Squid
waits for a response from the domain controller
severity Medium
date 2004-03-01 23:55
bugzilla #937
versions Squid-2.5.STABLE5
platforms All
workaround half_closed_connections on (the default)
squid_ldap_auth can be confused by the use of reserved characters
synopsis squid_ldap_auth may be confused by the use of
reserved characters allowing the login name to
be masqueraded in different manners possibly
allowing the user to partially bypass certain
per-user restrictions or confuse third party
accounting packages.
Note that the user can not bypass the login
procedure as such. All he can do is to make
the login name look different than normal.
There is still full audit trails on who the
user is etc.
The patch also adds and documents a -d flag to
both squid_ldap_auth and squid_ldap_group to
allow for easier tracing of the operation of
these programs if results is not what is
expected.
severity Major
date 2004-03-04 09:37
bugzilla #935
versions Squid-2.5 and earlier
platforms All
configuration configurations where squid_ldap_auth is used
for authentication using a search filter (-f
option) and where squid_ldap_group is not used
to further restrict the valid usernames.
workaround Combine squid_ldap_auth with squid_ldap_group
to only allow valid logins who are member of a
certain group, or alternatively use a
proxy_auth_regex acl to deny the use of any
login using restricted characters.
acl bad_login proxy_auth_regex [()\\*]
http_access deny bad_login
o Empty proxy_auth ACLs are silently accepted but lead to unpredictable ACL matching
synopsis If a proxy_auth acl is incorrectly defined with no members
then any http_access rules using this acl will give
unpredictable results depending on the results of earlier
acl lookups. This patch corrects both the reason to why
acl lookups became unpredictable and makes Squid reject
such incorrect acl definitions.
severity Medium
date 2004-01-15 07:44
bugzilla #893
versions Squid-2.5 and earlier
platforms All
workaround Make sure your proxy_auth acls are correctly defined. If
the acl should not match any users then don't declare the
acl at all.
o Squid doesn't follow telnet protocol on FTP control connections
synopsis Squid forgot to escape IAC characters (ascii code 255) in
FTP requests, causing problems to access files/directories
using this character in their name or to log in with this
character in the login or password.
severity Minor
date 2004-02-03 14:38
bugzilla #877
versions Squid-2.5 and earlier
platforms All
workaround Double any such characters in the input to Squid. (%ff%ff
instead of %ff)
o Random auth popups and account lockouts when using NTLM
synopsis When using NTLM authentication random auth popups and
account lockouts may be experienced.
severity Medium
date 2004-02-11 22:12
bugzilla #908
versions Squid-2.5
platforms All
workaround It may help to configure a lot of NTLM helpers but this is
not verified.
o squid_ldap_group -S option did not work
synopsis The -S and -E options in squid_ldap_group v2.12 was mixed
up, making the options somewhat hard to use.
severity Minor
date 2004-02-09 17:10
bugzilla #911
versions Squid-2.5.STABLE4 + ldap_group 2.12 patch
platforms All
workaround Specify -E instead of -S.
o Squid stuck at 100% CPU loop in ipcache_purgelru, or segfault in the same
synopsis The squid-2.5.STABLE4-connect_cleanup.patch was not
entirely correct and could cause memory corruption in
certain situations involving negative DNS replies (host not
found etc)
severity Major
date 2004-02-12 09:42
bugzilla #891
versions Squid-2.5.STABLE4-20031210 to 20040212
platforms All
Various HTTP workarounds and minor corrections
synopsis This patch works around certain broken HTTP servers
(reportedly IIS-5) who incorrectly signals the use of
persistent connections. It also corrects some minor
HTTP issues to make the Squid proxy more semantically
transparent.
severity Minor
date 2004-01-14 18:14
bugzilla #890
versions Squid-2.5 and earlier
platforms All
squid_ldap_group failure if specifying many or long group names
synopsis If the request to squid_ldap_group (login name + all
group names) exceed 256 characters then group lookups
fails or behaves erratically.
severity Minor
date 2004-01-08 19:08
versions Squid-2.5
platforms All
workaround Define multiple ACLs instead of listing many groups in
the same ACL
LDAP helpers TLS mode (-Z option) does not work
synopsis The TLS mode of the LDAP helpers did not work and
always reported "TLS Connection failed"
severity Minor
date 2004-01-05 12:05
bugzilla #887
versions Squid-2.5
platforms All
workaround Use the ldaps:// URI method instead, if your LDAP
server supports it.
- Remove --disable-internal-dns. It could be still enabled by adding to
SQUID_CONFIGURE_ARGS in /etc/mk.conf. It found that external dnsserver
has some problem, performance disadvantage on Solaris 8.
- Apply eight official patches.
o Incomplete objects may appear stuck in the cache
synopsis Under certain conditions incomplete objects
may appear stuck in the cache, not even reload
giving a new fresh copy.
severity Major
date 2003-12-23 01:23
bugzilla #876
versions Squid-2.5 and earlier
platforms All
workaround Compiling squid with --disable-http-violations
completely avoids the issue. Setting
"half_closed_clients off" and making
quick_abort as aggressively aborting as
possible by "quick_abort_min 0 KB" and
"quick_abort_max 0 KB" mostly hides the
problem.
o assertion failed: pinger.c:187: "icmp_pktsize <= MAX_PKT_SZ"
synopsis In Squids built with --enable-icmp the pinger
helper may exit with the above assertion
failure if Squid receives a request with a
very long host name.
severity Minor
date 2003-12-23 01:23
bugzilla #865
versions Squid-2.5 and earlier
platforms All
workaround Don't build squid with --enable-icmp. This is
generally recommended anyway unless you are
absolutely sure you want to ICMP PING random
sites all over the Internet to measure RTT
information even if this may trigger IDS
systems etc.
o 000 status code being logged for redirects (should be 302)
synopsis Redirects initiated by redirector helpers was
logged as TCP_MISS/000 instead of the expected
TCP_MISS/302. This patch corrects this and should
also correct log_mime_hdrs output for the same.
severity Minor
date 2003-12-21 16:21
bugzilla #869
versions Squid-2.5 and earlier
platforms All
o Update of Russian error pages
synopsis In a current version threre is a problem. The
absence of "yo" letter. ("e" with 2 dots ).
People prefer to write "E" instead "yo", that is
not quite correct, like "How r u" intstead "How
are you?"
severity Cosmetic
date 2003-12-21 15:21
bugzilla #864
versions Squid-2.5 and earlier
platforms All
o Added 'urllogin' ACL type
synopsis This is not a fix for a Squid bug. It is a new
feature to workaround an MSIE6 bug that uses
control characters to obfuscate the true origin
server hostname. You can use the 'urllogin' acl
TYPE to deny HTTP requests that contain certain
characters in the URL login field.
severity Medium
date 2003-12-19 16:19
versions Squid-2.5 and earlier
platforms All
workaround Patch MSIE6, if/when the patch becomes available.
o DNS resolver has too short MAXHOSTNAME
synopsis Squid would not process hostnames longer than 128
characters. This affects few hosts on the
internet, but with the growing use of iDNA it's
becoming an issue.
severity Minor
date 2003-12-18 01:18
bugzilla #842
versions Squid-2.5 and earlier
platforms All
workaround None.
o Squid refuses to start if "pid_filename none" is specified
synopsis Contrary to the documentation "pid_filename none"
is not accepted and Squid refuses to start.
severity Minor
date 2003-12-17 21:17
bugzilla #868
versions Squid-2.5 and earlier
platforms All
o cache_peer max-conn=.. option does not work
synopsis Due to the a accounting mismatch in the number of
open connections to peers the cache_peer
max-conn=.. option does not work. This issue is
also seen as very high numbers in the OPEN CONN
peer statistics via cachemgr.
severity Minor
date 2003-12-20 20:20
bugzilla #867
versions Squid-2.5 and earlier
platforms All
- Separate MESSAGE files into each platform.
- Remove --disable-internal-dns. It could be still enabled by adding to
SQUID_CONFIGURE_ARGS in /etc/mk.conf. It found that external dnsserver
has some problem, performance disadvantage on Solaris 8.
- Apply eight official patches.
o Incomplete objects may appear stuck in the cache
synopsis Under certain conditions incomplete objects
may appear stuck in the cache, not even reload
giving a new fresh copy.
severity Major
date 2003-12-23 01:23
bugzilla #876
versions Squid-2.5 and earlier
platforms All
workaround Compiling squid with --disable-http-violations
completely avoids the issue. Setting
"half_closed_clients off" and making
quick_abort as aggressively aborting as
possible by "quick_abort_min 0 KB" and
"quick_abort_max 0 KB" mostly hides the
problem.
o assertion failed: pinger.c:187: "icmp_pktsize <= MAX_PKT_SZ"
synopsis In Squids built with --enable-icmp the pinger
helper may exit with the above assertion
failure if Squid receives a request with a
very long host name.
severity Minor
date 2003-12-23 01:23
bugzilla #865
versions Squid-2.5 and earlier
platforms All
workaround Don't build squid with --enable-icmp. This is
generally recommended anyway unless you are
absolutely sure you want to ICMP PING random
sites all over the Internet to measure RTT
information even if this may trigger IDS
systems etc.
o 000 status code being logged for redirects (should be 302)
synopsis Redirects initiated by redirector helpers was
logged as TCP_MISS/000 instead of the expected
TCP_MISS/302. This patch corrects this and should
also correct log_mime_hdrs output for the same.
severity Minor
date 2003-12-21 16:21
bugzilla #869
versions Squid-2.5 and earlier
platforms All
o Update of Russian error pages
synopsis In a current version threre is a problem. The
absence of "yo" letter. ("e" with 2 dots ).
People prefer to write "E" instead "yo", that is
not quite correct, like "How r u" intstead "How
are you?"
severity Cosmetic
date 2003-12-21 15:21
bugzilla #864
versions Squid-2.5 and earlier
platforms All
o Added 'urllogin' ACL type
synopsis This is not a fix for a Squid bug. It is a new
feature to workaround an MSIE6 bug that uses
control characters to obfuscate the true origin
server hostname. You can use the 'urllogin' acl
TYPE to deny HTTP requests that contain certain
characters in the URL login field.
severity Medium
date 2003-12-19 16:19
versions Squid-2.5 and earlier
platforms All
workaround Patch MSIE6, if/when the patch becomes available.
o DNS resolver has too short MAXHOSTNAME
synopsis Squid would not process hostnames longer than 128
characters. This affects few hosts on the
internet, but with the growing use of iDNA it's
becoming an issue.
severity Minor
date 2003-12-18 01:18
bugzilla #842
versions Squid-2.5 and earlier
platforms All
workaround None.
o Squid refuses to start if "pid_filename none" is specified
synopsis Contrary to the documentation "pid_filename none"
is not accepted and Squid refuses to start.
severity Minor
date 2003-12-17 21:17
bugzilla #868
versions Squid-2.5 and earlier
platforms All
o cache_peer max-conn=.. option does not work
synopsis Due to the a accounting mismatch in the number of
open connections to peers the cache_peer
max-conn=.. option does not work. This issue is
also seen as very high numbers in the OPEN CONN
peer statistics via cachemgr.
severity Minor
date 2003-12-20 20:20
bugzilla #867
versions Squid-2.5 and earlier
platforms All
o Repeated POST requests causes number of persistent connections to grow
synopsis If responses to POST or other non-indempotent
requests allows the connection to be kept
persistently open then this can lead to a
increased connection usage by Squid. This
patch changes the behaviour to keep the number
of connections stable by closing a persistent
connection before opening the new connection.
severity Minor
date 2003-12-13 16:13
bugzilla #862
versions Squid-2.5
platforms All
workaround Disable server-side persistent connections by
setting "server_persistent_connections off" in
squid.conf.
o Segmentation fault on aborted FTP PUT requests
synopsis If a FTP PUT request is aborted while Squid is
writing data to the server then Squid may
abort with a segmentation fault.
severity Major
date 2003-12-14 12:14
bugzilla #853
versions Squid-2.5 and earlier
platforms All
workaround If this plauges you a lot then you can deny
the use of FTP PUT until the server can be
patched. But please note that this will limit
the functionality of the proxy by not allowing
FTP uploads via the proxy.
acl FTP protocol FTP
acl PUT method PUT
http_access deny FTP PUT
o Limit use of persistent connections when filedescriptor usage is high
synopsis Under high usage a lot of filedescriptors may
be idle persistent connections, causing a
shortage of filedescriptors for handling new
requests.
severity Minor
date 2003-12-14 12:14
bugzilla #571
versions Squid-2.5 and earlier
platforms All
workaround Disable the use of persistent connections in
squid.conf. But pleae note that disabling
persistent connections will cause a networking
performance penalty unless you are actually
short on filedescriptors. Alternatively
rebuild Squid with support for more
filedescriptors.
o Icon URLs are uneededly complex
synopsis The URL syntax used by Squid for FTP/Gopher
icons are uneededly complex and often causes
problems. This patch adds a "short_icon_urls"
directive which can be used to enable a less
complex URL syntax for icons.
severity Cosmetic
date 2003-12-14 13:14
bugzilla #856
versions Squid-2.5 and earlier
platforms All
o redirector_access does not handle slow acls such as dst or external correctly
synopsis redirector_access was a "fast" acl lookup and
did not handle "slow" acls requiring external
lookups such as dst or external correcly.
severity Minor
date 2003-12-14 13:14
bugzilla #860
versions Squid-2.5 and earlier
platforms All
o Persistent connection usage too high after sudden burst of traffic
synopsis Persistent server connections are reused in a
round-robin fashion which may cause the number
of connections to stay artificially high after
a sudden burst of requests.
This patch changes persistent connection
management to use a LIFO order reusing the
most recently used connection first, thereby
allowing unneeded connections to close down by
idle timeout.
severity Minor
date 2003-12-15 23:15
bugzilla #865
versions Squid-2.5 and earlier
platforms All
workaround This usually is not a significant problem, but
if you are plauged by this you can try
disabling server-side persistent connections
in squid.conf.
Apply two offcial patches.
* FQDN lookups sometimes returns garbage
synopsis FQDN lookups sometimes give garbage after the result.
This can be seen as junk in access.log when using
log_fqdn or false access control results when using
dstdomain acl type and the user requests a URL by IP
address.
severity Minor
date 2003-12-04 10:04
bugzilla #846, #834, #433
versions Squid-2.5 and earlier
platforms All
workaround Don't use log_fqdn or alternatively compile Squid with
--disable-internal-dns
* Cleanup of connect & dns timeouts etc
synopsis Several minor errors related to how Squid finds a
connection where to forward requests. This patch
o Adds a new configuration parameter "forward_timeout"
to control how long Squid tries to find a method to
find a path where to forward the request before
giving up. Defaults to 2 minutes.
o The default connect_timeout tuned down from 2 minutes
to 1 minute to allow for two attempts to find a
suitable path within the forward_timeout
o fqdncache/ipcache restructured to allow for DNS code
to allow the queried name to be logged in cache.log
on errors.
o negative_dns_ttl now overloaded to also specify the
minimum ttl used when caching DNS responses, and
tuned down from 5 minutes to 1 minute.
o default dns_timeout tuned down from 5 minutes to
2 minutes
o some minor compilation warnings on
--disable-internal-dns corrected
o properly report DNS timeouts as timeouts and not just
"No DNS records"
severity Minor
date 2003-12-06 17:06
bugzilla #848, #849, #851, #852
versions Squid-2.5 and earlier
platforms All
* connection setup may look like syn flood attack if server is
refusing connection
* --enable-arp-acl may give warning about net/route.h
* Incorrect html on empty Gopher responses
* positive_dns_ttl ignored when using internal DNS client
* squid_ldap_group update to version 2.12
* 100% CPU loop if external_acl combined with authentication
* maximum_object_size too large causes squid not to cache
* Install of Mozilla/Netscape plugins fails because .xpi mime type unknown
* Segfault if failing to load error page
* Error page translation updates for German and Lithuanian
* auth_param documentation update
* pam_auth fails on Solaris when using pam_authtok_get
* FQDNcache discards negative responses when using internal DNS
* login with space confuses redirector helpers
* digest auth never detects password changes
* cache.log message on "squid -k reconfigure" confusing
squid 2.5.3nb4 package.
Changes to squid-2.5.STABLE4 (15 Sep 2003):
- Lithuanian error messages added to the distribution
- Bug #660: segfauld if more than one custom deny_info line
- cache_dir disd documentation cleanup
- check open of /dev/null to avoid 100% CPU loop in badly
configured chroot environments
- documentation update on uri_whitespace to refer to the correct RFC
- Bug #655: icmpRecv: recv: (11) Resource temporarily unavailable
- Bug #683: external_acl does not wait for ident lookups to complete
- aufs: Fix a minor use-after-free problem which could cause the
count of opening filedescriptors to grow larger than it should
- Syntax changes to make GCC-3.3 accept Squid without complaints
- Warning if CARP server defined in incorrect load factor order
- neighbor_type_domain documentation update
- http_header_access now works when using cache peers
- high_memory_warning now uses sbrk as fallback mechanism on
platforms where neither mallinfo or mstats are available.
- hosts_file now handles comments at the end of lines correcly
- storeCheckCachable() Stats corrected for release_request and
wrong_content_length.
- cachePeerPingsSent MIB type corrected
- unused minimum_retry_timeout directive removed
- Bug #702: ERR_TO_BIG spanish translation
- Bug #705: Memory leak on deny_info TCP_RESET
- Code cleanup to fix compile error in httpHeaderDelById
- Bug #699: Host header now forwarded exactly where it was in the
original request to work around certain broken firewalls or
load balancers which fail if this header is too far into the
request headers.
- Bug #704: Memory leak on reply_body_max_size
- Bug #686: requests denied due to http_reply_access are now
logged with TCP_DENIED (instead of TCP_MISS, etc).
- Bug #708: ie_refresh now sends no-cache to have the reload
request propagate properly in cache meshes
- Bug #700: Crashes related to ftpTimeout: timeout in SENT_PASV state
- Bug #709: cbdata.c:186: "c->valid" assertion due to peer
digest not found
- Bug #710: round-robin cache_dir selection incorrectly
compares max-size.
- Statistics corrections in HTTP header statitics
- QUICKSTART cleanups
- Bug #715: statCounter.syscalls.disk counters treated
inconsistently. Now increment the counters in AUFS
functions and for unlinkd.
- Improvements to the (experimental) COSS storage scheme.
- Bug #721: User name field in access.log sometimes blank
- Bug #94: assertion failed: http.c: "-1 == cfd ||
FD_SOCKET == fd_table[cfd].type"
- Bug #716: assertion failed: client_side.c:1478: "size > 0"
- Bug #732: aufs calculates number of threads and limits wrongly
- Bug #663: Username not logged into access.log in case of /407
- Bug #267: Form POSTing troubles with NTLM authentication
and occationally in differen other error conditions.
- Bug #736: ICP dynamic timeout algorithm ignores multicast.
- Bug #733: No explicit error message when ncsa_auth can't access
passwd file
- Bug #267, #757: POST with NTLM stops after persistent connection
timeout
- Bug #742: Wrong status code on access denials if delay_access
is used. Most notably 407 instead of 403 could be returned.
- Bug #763: segfault if using ntlm in http_reply_access
- Bug #638: assertion error if using proxy_auth in delay_access
- Bug #756: segmentation fault if using ntlm proxy_auth in delay_access
- The issue of reply_body_max_size limiting the size of error
messages no longer applies.
- external_acl_type concurrency= option renamed to children= to
prepare for Squid-3 upgrades. Old syntax still accepted for the
duration of the Squid-2.5 release.
- number of filedescriptors rounded down to an even multiple of 64
to work around issues in certain libc implementations.
- winbind helpers less noisy in cache.log on restarts/shutdown.
- Squid now automatically restarts helpers if too many of them
have crashed.
external_acl_type concurrency= renamed to children=
synopsis To lessen confusion in later upgrades to Squid-3 the
external_acl_type concurrency= option has been renamed to
children= to match Squid-3 usage. This is done because
concurrency= has a completely different meaning in
squid-3. Squid-2.5 still accepts the old syntax to keep
compatibility within the Squid-2.5 release, but it is recommended
to start using the new syntax unless you need to be able to
easily downgrade to a earlier Squid-2.5 release.
severity Cosmetic
date 2003-09-02 07:02
versions Squid-2.5.STABLE3 and earlier
platforms All
workaround Make sure to read the Squid-3 releasenotes very carefully when
upgrading.
Assertion error or segmentation fault if using proxy_auth in delay_access
synopsis If proxy_auth acl type is used in delay_access then Squid may
abort with an assertion error or segmentation fault. Notice: This
patch may change some error conditions to be logged with
TCP_DENIED rather than TCP_MISS.
severity Medium
date 2003-09-01 20:01
bugzilla #638, #756
versions Squid-2.5
platforms All
workaround Don't use proxy_auth acl types in delay_access
Segmentation fault if proxy_auth with ntlm used in http_reply_access
synopsis In configurations where authentication is enforced in http_access
and then reused in http_reply_access to further control access
levels Squid may segfault if the ntlm authentication scheme is
used.
severity Medium
date 2003-09-01 20:01
bugzilla #763
versions Squid-2.5
platforms All
workaround Don't use proxy_type acls in http_reply_access or disable the use
of the ntlm authentication scheme (disabled by default)
code 407 instead of 403 for authenticated traffic-shaped user
synopsis delay_access can disturb Squids logics on when to request a new
login from the user. Most notably if delay_access ends up in a
proxy_auth acl then any access denials will require a new login
but the opposite may also happen.
severity Medium
date 2003-08-31 09:31
bugzilla #742
versions Squid-2.5 and earlier
platforms All
workaround make sure delay_access always ends up in the same class of ACL as
http_access does on the same request.
Form POSTing troubles with NTLM authentication or other error responses
synopsis Large POST/PUT requests may fail with a "Connection reset" error
in the browser in situations where Squid immediately responds
with an error page. This is most notable when using NTLM
authentication but may also occur in a few other situations
severity Medium
date 2003-08-28 22:28
bugzilla #267, #757
versions Squid-2.5 and earlier
platforms All
workaround Allow POST/PUT without requiring authentication if you are using
NTLM authentication.
No explicit error message when ncsa_auth (squid user) can't access passwd file
synopsis ncsa_auth just exists if it can not read the supplied password
file, instead of reporting an error.
severity Minor
date 2003-08-20 12:20
bugzilla #733
versions Squid-2.5 and earlier
platforms All
workaround If ncsa_auth exits for no apparent reason, verify that the given
ncsa password file is readable by the cache_effective_user.
forwarded_for off has no effect
synopsis The patch for Bug #92 (squid-2.5.STABLE3-mem_cfd.patch) broke the
forwarded_for directive.
severity Minor
date 2003-08-18 17:18
bugzilla #750
versions Squid-2.5.STABLE3 snapshots 2003-08-07 to 2003-08-18
platforms All
workaround Use anonymization via http_header_access to delete the
X-Forwarded-For header from forwarded requests. This is probably
preferred in any case.
- fix startup script as PR pkg/22502 by Steven M. Bellovin
- includes newer official squid patches except
squid-2.5.STABLE3-coss-improvements-2.patch (which is broken).
o 2003-07-22 15:22 (Cosmetic)
statCounter.syscalls.disk counters treated inconsistently
o 2003-07-25 17:25 (Minor)
Improvements to the (experimental) COSS storage scheme.
o 2003-07-28 09:28 (Minor)
Blank username logging fix
o 2003-07-29 22:29 (Minor)
More improvements to the (experimental) COSS storage scheme.
o 2003-08-06 13:06 (Medium)
assertion failed: http.c:869: "-1 == cfd || FD_SOCKET == fd_table[cfd].type"
o 2003-08-06 14:06 (Medium)
assertion failed: client_side.c:1478: "size > 0" when using aufs
o 2003-08-06 14:06 (Minor)
aufs calculates the number of threads and queue limits wrongly
o 2003-08-10 07:10 (Cosmetic)
Compile error in auth/digest_auth.c
o 2003-08-10 19:10 (Minor)
Username not logged into ACCESS.LOG in case of /407
o 2003-08-13 00:13 (Minor)
ICP dynamic timeout algorithm ignores multicast
- (Minor) round-robin cache_dir selection incorrectly compares max-size
- (Major) cbdata.c:186: "c->valid" assertion due to peer digest not found
- (Major) Crash after ftpTimeout: timeout in SENT_PASV state
- (Minor) Requests denied by http_reply_access are not logged with TCP_DENIED
- (Minor) ie_refresh does not signal no-cache to peer caches
- (Medium) Client Socket Buffer leak on reply_body_max_size
- (Medium) Forward Host headers in place
- (Medium) Memory leak in deny_info TCP_RESET
- (Cosmetic) ERR_TOO_BIG Spanish translation
- (Cosmetic) minimum_retry_timeout unused
- (Minor) SNMP update of cachePeerPingsSent and cachePeerPingsAcked
- (Cosmetic) store_check_cachable_stats slghtly misleading
- (Minor) /etc/hosts and lines with comments after the host name
- (Minor) sbrk as fallback method for high_memory_warning
- (Minor) header_access fails when using peers
- (Cosmetic) neighbor_type_domain documentation update
- (Minor) issue warning if CARP load factor values decrease in the cache_peer list
- (Cosmetic) Compile time warnings when using GCC-3.3
- (Minor) aufs Files queued for open counter mismatch
- (Minor) external_acl does not wait for ident lookups to complete
- (Minor) icmpRecv: recv: (11) Resource temporarily unavailable
- (Cosmetic) Incorrect RFC reference regarding URL syntax
- (Cosmetic) quote '%' character in logs
- (Cosmetic) check open("/dev/null") return value for errors.
- (Cosmetic) "cache_dir diskd" documentation update
Not all of the pathces are new but updated one.
Compile time warnings when using GCC-3.3
synopsis GCC-3.3 gets slightly confused by the Squid code and gives a
few mostly false warnings regarding type-punning.
severity Cosmetic
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-gcc-3_3.patch
workaround Ignore the warnings
aufs Files queued for open counter mismatch
synopsis Under certain conditions the "Files queued for open counter"
could grow larger than intended. If this grows too large then
Squid may think it runs out of filedescriptors even if there is
plenty of filedescriptors free, but we do not expect this to
become a real problem in any installations.
severity Minor
versions Squid-2.5 and earlier
platforms All using aufs
patch squid-2.5.STABLE3-aufs-openingfds.patch
external_acl does not wait for ident lookups to complete
synopsis extrenal_acl_type %IDENT does not wait for ident lookups to
complete.
severity Minor
bugzilla #683
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-external_acl_ident.patch
workaround use an ident acl before your external acl to trigger the ident
lookup
Compilation error in src/HttpHeaderTools.c on certain platforms
synopsis The Squid-2.5.STABLE2 patch for digest authentication used a
C99 feature (dynamic array initializers) which may not be
available in all C compilers
severity Minor
bugzilla #660
versions Squid-2.5.STABLE3
platforms Several platforms not using GCC or a C99 compliant C compiler
patch squid-2.5.STABLE3-HttpHeaderTools.patch
workaround Use GCC
Segmentation fault if more than one custom deny_info message defined
synopsis The Squid-2.5.STABLE2 patch for deny_info TCP_RESET was not
entirely correct and causes segmentation fault on startup if
more than one custom deny_info error message is defined
severity Minor
bugzilla #662
versions Squid-2.5.STABLE3
platforms All
patch squid-2.5.STABLE3-deny_info.patch
workaround Disable the use deny_info in your squid.conf.
Changes to squid-2.5.STABLE3 (25 May 2003):
- Bug #573: Occational false negatives in external acl lookups
- Bug #577: assertion failed: cbdata.c:224: "c->y == c" when
external_acl helpers crashes
- Bug #590: Squid may hang or behave oddly on shutdown while
requests is being processed.
- Bug #590: external acl lookups does not deal well with queue
overload
- cache_effective_user documentation update
- cache_peer documentation update for htcp and carp
- Bug #600: The example header_access paranoid setting is
missing WWW-Authenticate
- Bug #605: Segmentation fault in idnsGrokReply() on certain
platforms
- Fixes to build properly on AIX 5
- Bug #574: wb_group updated to version 1.1 to make group names
case insensitive and correct a segfault issue in the helper
- SNMP mib updates to make cacheNumObjCount,
cacheCurrentUnlinkRequests, cacheCurrentSwapSize and cacheClients
correctly report as gauges (was reporting as counters).
- Woraround for --enable-ssl Kerberos issue on RedHat 9
- Bug #579: Close and repopen log files on "squid -k reconfigure"
- Bug #598: squid_ldap_auth could segfault if LDAP server is
unavailable
- Bug #609,#612: msntauth helper fixes in dealing with large
or non-existing allow/deny user files.
- Bug #620: acl ident REQUIRED matches even if the ident lookup fails
- Bug #432: reply_body_max_size fails with ident or proxy_auth acls
and also fails to block large objects where the content-length
is not known
- Bug #606: Basic auth looping and gets stuck at high CPU usage when
multiple proxy_auth ACLs combined in one line and login fails.
- squid_ldap_auth updated with support for TLS and SSL
- Bug #623: segfault if using negated external acls in certain
configurations involving other acls later on the same http_access
line.
- Bug #622: wb_group helper update to version 1.2 to ass support for
Domain-Qualified groups refering to groups in a specific domain
- Bug #596: logic error in poll() error management
- Bug #597: logic errors in error management
- Bug #591: segmentation fault in authentication on "squid -k debug"
- Bug #587: smb_auth fails on complex logins involving domain names
or other odd characters
- Bug #558, #587: smb_auth.pl fails on complex logins involving
domain names or other odd characters
- Bug #643: external_acl fails with ttl=0 due to a change introduced
by the patch for Bug #553 in 2.5.STABLE2.
- Bug #630: minor issues in digest authantication causing random
authentication failures and incompability with many mainstream
browser digest implementations due to browser qop bugs. To deal
with those broken browser nonce_stricness now defaults to off,
and two new digest options have been added (check_nonce_count
and post_workaround) to allow workarounds to other quite bad
browser bugs if needed.
- Bug #644: digest authentication fails on requests with one
or more comma in the requested URL
- Bug #648: deny_info TCP_RESET not working. The fix for this also
adds the ability to send redirects.
- Don't left share/doc/squid directory on deinstall.
- Apply recent 12 official patches.
- (Minor) deny_info TCP_RESET does not work
- (Minor) Digest authentication fails on URLs with comma
- (Minor) digest nonce count workarounds for broken browsers
- (Minor) external_acl hangs if defined with ttl=0
- (Minor) smb_auth.pl (multi-domain-NTLM) fails on domain qualified logins
- (Minor) smb_auth fails on complex logins (involving domain names or odd
characters)
- (Minor) ACL regression error introduced by earlier 2.5.STABLE2 patch
- (Cosmetic) segmentation fault in authentication if debugging enabled
- (Cosmetic) Unreachable code due to siged/unsigned errors
- (Minor) logic error in comm_select.
- (Minor) wb_group update to 1.2 to add support for domain qualified goups
- (Minor) Segmentation fault when using negated external acls
Apply newer offcial patches (total 19). Here is short summary of those
newly added patch files.
See http://www.squid-cache.org/Versions/v2/2.5/bugs/ in detail.
o squid_ldap_auth update to support TLS, SSL and increased security for bind
password
o Basic auth looping when multiple proxy_auth ACLs combined in one line.
o reply_body_max_size fails with ident or proxy_auth acls
o acl ident REQUIRED matches even if the ident lookup fails
o msntauth helper crashes related to the alow/deny file operation
o LDAP basic authentication crash if server is unreachable
o "squid -k reconfigure" does not close logs to activate new settings
o --enable-ssl fails on RedHat 9
o SNMP MIB used Counter32 for certain values which are gauges
o Upgrade of wb_group to 1.1
o AIX 5 issues
o egmentation fault in idnsGrokReply() on certain platforms
synopsis A bug in how Squid processes certain DNS
replies can cause segmentation faults on
certain platforms. Linux and FreeBSD on X86
platforms seems unaffected however.
severity Major
bugzilla #605
versions Squid-2.5 and earlier
platforms Solaris SPARC and several other
patch squid-2.5.STABLE2-dns_root_label.patch
workaround Recompile squid with --disable-internal-dns
o The example header_access paranoid setting is missing WWW-Authenticate
synopsis The paranoid header_access example is missing
WWW-Authenticate, and thereby unintentionally
denying authentication to web sites if used
without modifitaions.
severity Cosmetic
bugzilla #600
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-header_access_paranoid.patch
- Squid may hang or behave oddly on shutdown while requests is being processed.
synopsis Squid may hang or otherwise behave oddly in shutdown
if there is new requests processed at the same
time. On shutdown Squid internally shut down DNS,
redirectors and external acls while still processing
new requests already received. In combination with the
external acl queue overload bug this can completely
hang Squid, preventing it from shutting down.
severity Minor
bugzilla #590
versions Squid-2.5 and earlier
platforms All
- external acl lookups does not deal well with queue overload
synopsis If there is a queue overload for external acl lookups
then Squid logs "externalAclLookup: 'xxx' queue
overload" at a very high rate in cache.log until the
condition clears up.
severity Major
bugzilla #590
versions Squid-2.5
platforms All
- cache_effective_user documentation unclear
synopsis The cache_effective_user/group documentation was
unclear on what happens if only one of the directives
is set, or when Squid is started as a non-root user.
severity Cosmetic
versions Squid-2.5 and earlier
platforms All
- cache_peer documentation missing for htcp and carp
synopsis The cache_peer documentation for the htcp and carp
related options was missing
severity Cosmetic
versions Squid-2.5 and earlier
platforms All
pkgsrc change: install some supplemental documents.
Changes to squid-2.5.STABLE2 (Mars 17, 2003):
- Contrib files added back to the distribution
- Several compiler warnings fixed when using --disable-ident or
--disable-http-violations
- authentication can now be used in most access controls, but
must in most cases first be enforced in http_access to force
the user to authenticate.
- cleanups in the developer bootstrap.sh process when preparing
the sources.
- several squid.conf.default documentation updated to correctly
refer to the current names when refering to other directives
- authenticate_ip_ttl documentation updates
- several assertion faults and segmentation violations corrected
- the RunCache/RunAccel and squid.rc scripts updated to refer to
the squid binary in sbin rather than the old bin location.
- squid_ldap_auth command line processing fixes when specifying
the LDAP server last on the line instead of -h option
- aufs data corruption bugfix
- aufs performance improvement for low traffic systems
- aufs stability improvements
- external_acl corrected to properly deal with quoted strings
- WCCPv1 bugfix to make sure the router accepts the hash assignments
- "Total accounted memory" now correctly reported in cachemgr
- several small memory leaks (mostly reconfigure related)
- new squid.conf option to allow GET/HEAD requests with a request
entity
- "make uninstall" no longer removes squid.conf
- cachemgr.cgi now uses POST to avoid having the cachemgr password
logged in the web server logs
- authentication schemes which are known to not be proxyable are now
filtered out from forwarded server replies to avoid that the clients
tries to use such schemes when we know for a fact it won't work
- spelling corrections in various error messages
- now possible to define acl values with spaces in them
by using the "include file" feature
- squid_ldap_group updated to 2.10 to fix compilation issues with
recent (and older) OpenLDAP libraries and to make the helper deal
correctly with true LDAP groups by first looking up the user DN.
- Some internal code cleanups
- now verifies that programs etc exists iside the chroot directory
when using chroot_dir. No longer neccesary to set up a split view
environment where the same paths works both inside the chroot and
outside just to convince Squid that the files is actually there..
- improved memory usage reporting
- --disable-hostname-checks configure option
- no longer ignores double dots in host names. Any hostname with
double dots is now rejected as invalid.
- log_mime_hdrs no longer logs garbage if very long headers
are seen.
- 'select_fds_hist' object added to cachemgr 'histogram' output
- pid file now unlinked when squid has really shut down, not
immediately when the shutdown request is received. This allows
the pid file to be monitored to determine when Squid has shut down
properly
- correct authentication scheme setups on some platforms or compilers
- several squid.conf.default documentation updates to remove references
to renamed or replaced directives by changing them to their current
names.
- the SSL reverse proxy support updated to allow building with
OpenSSL 0.9.7 and and later.
- Corrected a minor performance problem while processing HEAD replies
from various broken web servers not sending a correct HTTP reply
- time acls can now specify multiple times in the same acl name, like
most other acl types.
- winbind helpers updated to match Samba-2.2.7a and should
work with Samba-2.2.6 or later (required). For compability with
older Samba versions A new configure option --with-samba-sources=...
has been added to allow you to specify which Samba version the
helpers should be built for if different than the above versions.
- Squid MIB definition syntax correction to work better with newer
(and older) SNMP tools.
- Fixed access.log format when logging "error:invalid-HTTP-ident" on
requests where parsing the HTTP identifier (HTTP/1.0) failed.
- "make distclean" no longer removes the icons, this avoids the
dependency on "uudecode" to rebuild Squid after "make distclean"
- User name returned by external acl lookups (external_acl_type)
is now available as "ident" in later acl checks in addition to
the logging in access.log.
- Incorrect behaviour of Digest authentication partly corrected - it
will not handle sessions, but will always enforce password
correctness.. (patch submitted by Sean Burford).
- Issue with persistent connections and PUT/POST request corrected
- include more official squid patches.
o Make external_acl user names available as IDENT in later acl processing
o digest authentication security issue
o external_acl Assertion failed: auth_user_request != NULL
o make install fails to install icons after make distclean
o "error: invalid HTTP-ident" breaks log processing
