Bug 3013: segmentation fault on shutdown commSetCloseOnExec at comm.cc:1889
Bug 3233: Invalid URL accepted with url host is white spaces
Bug 3074: Improper URL handling with empty path (RFC 3986)
Bug 3463: dnsserver fails to compile
Bug 3390: Proxy auth data visible to scripts
Extend g++ compatibility for extern inline functions
Bug 3545: FreeBSD dnsserver segfaults
Bug 3466: Adaptation stuck on last single-byte body piece
Bug 3539: CONNECT server connection not closed correctly on errors
Bug 3133: Memory leak handling requests for sites that don't exist
Bug 3504: Regression: clientside_tos fails to mark traffic
Fix URL schemes out of sync
AnyP is a 3.2-only namespace
Support CoAP over HTTP
Bug 3263: ssl_crtd: undefined references to squid_curtime
Bug 3439: correct external_acl_type documented default for ipv4/ipv6 option
Fix closePipesSafely. It is a 3.2 feature
Revert rev10436. Correct patch already applied in 3.1.19
Bug 3420: part 2: Request body consumption races and theConsumer
Better helper-to-Squid buffer size management.
Support for 3.2 error template codes
Translations: Sync with 3.2
Regression: snmp/udp address directives not resolving hostname
Bug 3502: client timeout uses server-side read_timeout, not request_timeout
PAM helper program. OpenPAM didn't check this, so it could be
tricked into reading arbitrary config files, allowing privilege
escalation.
Standard squid installations don't install the PAM helper SUID, but
depending on local needs, an administrator might choose to do so.
approved by pkg maintainer
bump PKGREV
- Regression fix: vhost and defaultsite causing vport to be ignored
- Regression Bug 3295: broken escaping in rfc1738_do_escape
- Bug #3232: fails to compile with OpenSSL v1.0.0
- Bug #3222: cache_peer name is not logging on CONNECT
- Bug #3131: fd_table[fd].closing() assert from
ConnStateData::noteMoreBodySpaceAvailable()
- Bug #3217: "!fd_table[fd].closing()" from
ServerStateData::noteMoreBodySpaceAvailable
- Bug #3213: https sites (CONNECT) not open when using NTLM
- Bug #3114: Memory leak in SSL certificate verify code
- Bug #3107: ncsa_auth DES silently truncates passwords to 8 bytes
- Bug #2662: cf_gen failure when cross compiling
- Bug #2655: passing wrong the username to the url_rewrite_program
- Bug #2495: ignore whitespace prefix on config lines
- Bug #2051: 'default' cache_peer option does not match documentation
- Bug #1842: Optimize order of tests in peerWouldBePinged() and
peerHTTPOkay()
- Bug #1791: timestampsSet does not validate Date: if server sends very
old date
- Correct parsing of large Gopher indexes
- Enable negative cacheing on unknown or -1 expiry timestamp
- Remove hierarchy_stoplist default value
- Migrate cf_gen tool from C-style to C++
- ... and several documentation and compiler warning fixes
* Regression Bug 3261: Could not create a DNS socket and exit
Changes 3.1.13:
* Regression Bug 3239: problems with myip/myport upgrade
* Bug 3153: hung ICAP RESPMOD transactions
* Update ssl_crtd to use 'OK' status inline with other helpers
* Regression fix: Use bigger buffer for server reads.
* Regression fix: Add reply_header_replace directive for ability lost since 2.7
* Bug 3181: /dev/poll fails to build on Solaris with GCC 4.5.0
* Bug 3177: assertion failed: comm.cc:1583: "fd >= 0"
* Bug 3175: IPv6 PTR lookup crashes on raw-IP URLs when IPv6 disabled
* Bug 3173: Assertion bodyPipe!=NULL on SslBump CONNECT response writing failure
* Bug 3164: Total memory info display 32-bit overflows
* Bug 3155: Werror is hard-coded in libTrie build
* Bug 3151: squid_kerb_auth: use autoconf LIBS instead of FLAGS for library
linkage
* Bug 2976: invalid URL on intercepted requests during reconfigure
* Bug 2720: comment in same line as cache/mem_replacement_policy causes error
* Bug 2621: Provide request headers to RESPMOD when using cache_peer.
* Bug 2330: AuthUser objects are never unlocked
* Prevent CONNECT request relaying to origin servers
* squidclient HTTP/1.1 compliance updates (Pragma and User-Agent headers)
* squidclient: send Cache Manager password using -w
* eCAP: give full Request-URI to adapters
* ... and several debug and error display cleanups
* Bug 3149: not caching eCAP adapted body
* Bug 3144: redirector program blocks while reading STDIN
* Bug 3140: memory leak in error page generation
* Bug 3137: RADIUS auth helper does not send identifier to RADIUS server
* Bug 3115: logging segfaults if access_log is set to a directory
* Bug 2968: Show the Vary: headers information in cachemgr objects report
* Bug 2959: remove SAMBAPREFIX dependency
* Bug 2868: icc doesn't like string literal in assert checks
* HTTP/1.1: Send 307 status on deny_info redirection
* HTTP/1.1: Support POST/PUT with no body
* HTTP/1.1: Allow persistent connections for Mozilla/3.0 User-Agents
* Support RFC 5861 Cache-Control: stale-if-error option
* Add ftp_eprt directive to disable EPRT extensions in FTP
* Fix external_acl_type grace=0 to obey TTL
* Fix IP/FQDN cache accounting to avoid idle caches on busy servers
* Prevent pipeline_prefetch misconfigurations breaking NTLM/Negotiate auth
* ... and some documentation updates and corrections
* ... and some portability and stability fixes
* Bug 3121: memory leak in DigestAuth: AuthUser object is locked twice
* Bug 3113: Consuming too much memory when uploading files
* Bug 3110: 'reply_body_max_size none' does not work with x-forwarded-for
* Bug 3096: Consuming too much memory when delaying traffic
* Bug 3091: Bypassed ICAP errors are not counted as service failures
* Bug 3090: Polish FTP login error handing
* Bug 3068: cache_dir capacity and usage overflows
* Bug 3028: Permit wbinfo_group.pl to authenticate Kerberos users with NT domain
* Bug 427: HTTP Compliance: Support If-Match and If-None-Match requests
* Fix memory leak in adaptation_access
* Fix /dev/poll and poll() selection priority
* Fix PREFIX/var/run creation during install
* Fix cachemgr http_port config report display
* Add upgrade help process for obsolete options
* Accept RFC 2965 Set-Cookie2 / Cookie2 headers as 'known'
* HTTP/1.1: entry is stale if request has max-age=0
* HTTP/1.1: do not forward TRACE with Max-Forwards: 0 after REQMOD
* Toolchain update to support newer auto-tools
* ... and updated error page translations
* ... and updated documentation
* ... and some code optimization/simplification polish
- Bug 3088: dnsserver is segfaulting
- Bug 3084: IPv6 without Host: header in request causes connection to hang
- Bug 3082: Typo in error message
- Bug 3073: tunnelStateFree memory leak of host member
- Bug 3058: errorSend and ICY leak MemBuf object
- Bug 3057: 64-bit Solaris 9 Squid unable to determine peer IP and port
- Bug 3056: comm.cc "!fd_table[fd].closing()" assertion crash when a helper
dies
- Bug 3053: cache version 1 LFS support detection broken
- Bug 3051: integer display overflow
- Bug 3040: Lower-case domain entries from hosts and resolv.conf files
- Bug 3036: adaptation_access acls cannot see myportname
- Bug 3023: url_rewrite_program silently fails to rewrite on broken URLs
- Bug 2964: Prevent memory leaks when ICAP transactions fail
- Bug 2808: getRoundRobinParent not handling weights correctly
- Bug 2793: memory statistics sometimes display wrong
- Bug 2356: Port from 2.7: Solaris /dev/poll event ports support
- Bug 2311: crashes with ICAP RESPMOD for HTTP body size greater than 100kb
- Ensure /var/cache or jail equivalent exists on install
- HTTP/1.1: delete Warnings that have warning-date different from Date
- HTTP/1.1: do not remove ETag header from partial responses
- HTTP/1.1: make date parser stricter to better handle malformed Expires
- HTTP/1.1: improve age calculation
- HTTP/1.1: reply with a 504 error if required validation fails
- HTTP/1.1: add appropriate Warnings if serving a stale hit
- HTTP/1.1: support requests with Cache-Control: min-fresh
- HTTP/1.1: do not cache replies to requests with Cache-Control: no-store
- squidclient: Display IP(s) connected to in verbose (-v) display
- Fixes several issues with ICAP persistent connections
- Fixes small leaks in Netdb, DNS, ICAP, ICY, HTTPS
- ... and some cosmetic polishing
- Security fixes:
- Fixes for the request processing vulnerability tagged SQUID-2010:3.
http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
- A hardening of the DNS client against packet queueing approaches
used to enable attacks. This completes the protection against attacks
published by Yamaguchi late in 2009.
- An HTTP request-line parser hardened against several categories of
request attack. This greatly increasing the speed of detection and
reducing resources used to detect these categories of attack.
- Fixes for the following bugs:
- Bug 3020: Segmentation fault: nameservers[vc->ns].vc = NULL
- Bug 3005,2972: Locate LTDL headers correctly (again)
- Bug 2872: leaking file descriptors
- Bug 2583: pure virtual method called
* SourceFormat Enforcement
* Replace most USE_IPV6 with run-time support probing
* Translations: sync with 3.HEAD language updates
* Split-Stack enable DNS and http(s)_port sockets.
* Bug: --with-valgrind-debug failures ignored
* Fixed comm.cc:377: "fd_table[fd].halfClosedReader != NULL" assertion
* Kludge: try to detect system acinclude path, to fix libtool brokenness.
* Bug: search scope for digest_ldap_auth didn't work
* Update libtool autoconf macros to libtool2 style
* Correction documentation of QoS disable-preserve-miss
* Remove .so from SASL build checks
* Bug: AIX support: c only c++ style comments test case
* Bug: AIX support: check libm for log()
* Do not stop accepting just because we got COMM_NOMESSAGE.
* Bug: AIX support: uchar is already define (more)
* Bug: AIX support: uchar is already define
* Bug: crash handling NULL write callback
* Correct Joomla DB auth handling
* Fixed memory leak related to retried requests.
* Prevent memory leaks when cloning Range requests.
* Fixed memory leaks related to Range requests.
Changes 3.1.5:
* Bug: Fix context leak in HttpStateData::processReplyHeader
* Bug: raw-IPv6 address URL with append_domain broken
* Bug: does not send indirect X-Client-Ip in ICAP respmod
* Fix free memory corruption and off-by-on error when comparing SNMP OIDs
* Restart DNS retransmission count when restarting the query as an A lookup
* Bug: HTTP responses with no Date, L-M or Expires can now be cached
* Maintenance: Formater skip libltdl dirs
* SourceFormat Enforcement
* Bug: Fails to detect chunked encoding if not given in all lower case
* Port from 2.7: max_filedescriptor config option
* persistent_connection_after_error is meant to be on by default
* kFreeBSD does not have linux headers. Wrap properly.
* Maintenance: Use system MD5 instead of hard-coded python paths
* Bug: ICAP tokens not logged when using multiple access
* SourceFormat Enforcement
* OpenBSD: Fix build mem.cc warning: converting of negative value
- Bug 2933: Verification of the max. port number for WCCP2 dynamic service
- Bug 2924: RADIUS helper compile issues
- Bug 2922: Fix assertion failed: HttpHeader.cc: "Headers[id].stat.aliveCount"
- Bug 2919: tcp_outgoing_address ACLs not obeying acl_uses_indirect_client
- Bug 2896: Fix assertion failed: comm.cc:2063: "!fd_table[fd].closing()"
- Bug 2879: pt2: 3.0 regression in headers end finding
- Bug 2877: pt2: only output zero-size warning on reverse-proxy requests
- Bug 2876: FD_SETSIZE override not working on all linux distributions
- Bug 2810: common log format generates 2 lines of syslog
- Bug 2789: Optimize unlimited memory pools, and correctly handle limits over 2GB
- Bug 2753: Fall back on IPv4 if IPv6 is not present
- Bug 2697: Adaptation leaks and extra requests after reconfiguration
- Bug 2633: Fix Ecap::HeaderRep::value(name) fails when there is no named header field
- Change LDAP helpers to default to LDAP version 3 if available
- Add Joomla and Salted Hash support to squid_db_auth helper
- Fixed IpAddress port printing for ports higher than 9999
- Disable chunked memory pooling by default.
- ... and several build errors.
The 3.1.1 is the first release of the Squid-3.1 series which has passed
the maintainer's criteria for use in production environments.
3.1.1 brings many new features and upgrades to the basic networking
protocols. A short list of the major new features is:
* Connection Pinning (for NTLM Auth Passthrough)
* Native IPv6
* Quality of Service (QoS) Flow support
* Native Memory Cache
* SSL Bump (for HTTPS Filtering and Adaptation)
* TProxy v4.1+ support
* eCAP Adaptation Module support
* Error Page Localization
* Follow X-Forwarded-For support
* X-Forwarded-For options extended (truncate, delete, transparent)
* Peer-Name ACL
* Reply headers to external ACL.
* ICAP and eCAP Logging
* ICAP Service Sets and Chains
* ICY (SHOUTcast) streaming protocol support
* HTTP/1.1 support on connections to web servers and peers.
(with plans to make this full support within the 3.1 series)
Approved by Thomas Klausner.
- Regression Fix: Make Squid abort on all config parse failures.
- Regression Bug 2811: SNMP client/peer table OID numbering
- Bug 2851: Connection pinning fails when using a peer
- Bug 2850: Mismatch in hier_code enum / hier_strings array
- Bug 2731: Add follow_x_forwarded_for support to ICAP
- Bug 2730: Regressions in follow_x_forwarded_for since Squid-2
- Bug 2706: Set timestamps during ICAP request satisfaction.
- Bug 2553: X-Forwarded-For with IPv6 address not handled correctly
- Fix: WCCPv1 not connecting to router correctly
- Remove obsolete RunCache/RunAccel scripts.
- Add client_ip_max_connections
- Add the http::>ha format code and make http::>h log original request
headers
- ... and all bug fixes from 3.0 up to 3.0.STABLE22
- ... and many more minor build and display annoyances.
This update also contains the fix for the remote DoS vulnerability
reported in "Squid Proxy Cache Security Update Advisory SQUID-2010:1".
- Regression Fix: myip ACL not accepted in config
- Bug 2795: acl arp lookups including port
- Bug 2794: ESI parsing fails on FreeBSD
- Bug 2778: fix linking issues using SunCC
- Bug 2724: eCAP build failure unless ICAP enabled
- Bug 2628: Correct default PID location to PREFIX/var/run/squid.pid
- Bug 2617: Performance degradation during processing list of dstdomain ACL's
- Bug 2374: Support ICY / ICEcast / SHOUTcast streaming protocol.
- Fix: 64-bit filesize issue in squidclient POST of large files
- Fix: send correct Connection: header on intercepted replies
- Support libtool 2.x
- ESI libraries libexpat and libxml2 now optional
- ESI support default enabled
- Bump libcap minimum requirement to libcap 2.09+
- ARP / MAC support fixes for IPv6-mode
- Add outstanding IPv6 settings to squid.conf (localnet, localhost)
- ... and many additions to the background testing structure
- ... and very many minor build and code cleanups for non-GCC compilers.
- Bug 2777: Various build issues on OpenSolaris
- Bug 2773: Segfault in RFC2069 Digest authentication
- Bug 2747: Compile errors on Solaris 10
- Bug 2735: Incomplete -fhuge-objects detection
- Bug 2722: Fix http_port accel combined with CONNECT
- Bug 2718: FTP sends EPSV2 on IPv4 connection
- Bug 2648: stateful helpers stuck in reserved
- Bug 2570: wccp2 "Here I Am" announcements not sent in memory-ony mode
- Bug 2510: digest_ldap_auth uses incorrect logic with TLS
- Bug 2483: bind() called before connect()
- Bug 2215: config file line length limit (extended to 2 KB)
- Support Accept-Language: * wildcard
- Support autoconf 2.64
- Support TPROXY for IPv6 traffic (requires kernel support)
- Support TPROXY cache cluster behind WCCPv2
- Correct ESI support to work in multi-mode Squid
- Add 0.0.0.0 as an to_localhost address
- DiskIO detection fixes and use optimal IO in default build.
- Correct peer connect-fail-limit default of 10
- Prevent squidclient sending two Accept: headers
- ... all bug fixes from 3.0.STABLE19
- ... and many more documentation fixes
Approved by Thomas Klausner.
Changes since version 3.1.0.12:
- Bug 2723 regression: enable PURGE requests if PURGE method ACL is present.
- Fix one more internal profiler error
- Language Updates: Italian, Russian
- Language Updates: Add many more aliases
- Add Copyright document for errors/ content
- ... all bug fixes from 3.0.STABLE18
- ... and several code polishing cleanups
Changes since version 3.1.0.11:
- Bug 2716: Chunked request Signed/Unsigned build error
- Bug 2674: Remove limit on HTTP headers read.
- Bug 2620: Invalid HTTP response codes causes segfault
- Fix FTP EPSV negotiation parser.
- Fix Via string when leak checking is enabled (valgrind etc)
- ... and several documentation and testing additions
This update also fixes the security vulnerabilites reported in
the SQUID-2009:2 advisory.
Changes since version 3.1.0.9:
- Bug 2087: Support adaptation sets and chains
- Bug 2459: dns error message broken when error handling delayed
- Support ICAP Retry
- Support ICAP retries based on the ICAP responses status code
- Support logging ICAP
- Support logging total DNS wait time
- Support logging response times of adaptation transactions
- General logging enhancements
- Dynamically form chains based on ICAP X-Next-Services header
- Support cross-transactional ICAP header exchange
- Bug 2680: Regression Crash after rotate with no helpers running
- Bug 2695: Regression in WCCPv2 L2 mask assignment
- Bug 2707: Regression in FTP anonymous auth
- Bug 422, 2706: RFC 2616 Date header requirements
- Bug 1087: ESI processor not quoting attributes correctly.
- Bug 1338: File prefetches aborted despite range_offset
- Bug 2080: wbinfo_group.pl - false positive under certain conditions
- Bug 2092: select loop 32-bit call counter overflows
- Bug 2127: delay pools class 4 crashes with ntlm auth
- Bug 2611: document fast/slow acl types
- Bug 2614: Potential loss of adapted body data from eCAP adapters
- Bug 2658: Missing TextException copy constructor
- Bug 2659: String length overflows on append, leading to segfaults
- Bug 2699: Build failure NTLM smb_lm helper
- Bug 2709: TRANSLATIONS not installed
- Bug 2710: squid_kerb_auth non-terminated string
- Delay pools 64-bit buckets and IPv6-polish
- Break forwarding loops for "transparent" or "intercept" http_ports.
- Add --disable-translation option to detatch .po from error negotiation
- Add squidclient man(1) page
- Add localhost to default permitted networks
- http_port allow-direct option to allow direct forwarding in accelerator mode
- ... and many testing infrastructure updates
- ... and much adaptation polish and improvements
- Bug 2682: Add ftp_epsv control to disable EPSV support.
- Bug 2665: Detach automake system from using -I.
- Bug 2395: FTP auth errors not displayed
- ... also several changes and bugs closed in 3.0.STABLE16
- Port from 2.7: Show local address on listening sockets
- Add "tag" type acl matching tags set by external acl helpers.
- Adds Language alias linker/installer/upgrade scripts
- Support for GCC 4.4
- Fix false NAT lookup errors on Linux
- Fix many Windows port issues
- Fix squid_kerb_auth helepr install location
- Better detection of IPv6 stack types
- Updates Licensing information for Squid 3.1
- ... and many packaging portability build and install issues
- Bug 2656: Pinger dies with general protection fault
- Bug 2650: configure requires epoll_ctl in libepoll when --enable-epoll used
- Bug 2648: Authentificator processes deferring and don't shutdown.
- Bug 2645: allow squid to ignore must-revalidate
- Bug 2644: auth scheme initialization is broken
- Bug 2632: Make number of reforwarding tries configurable
- Bug 2628: --with-pidfile=PATH option to override DEFAULT_PID_FILE
[This problem was reported for pkgsrc in PR pkg/41521.]
- Bug 2627: HTCP Logging
- Bug 2615: Call libecap::adapter::Service::start() when finalizing config.
- Bug 2589: SNMP returning no data - wrong oid decoded
- Bug 2571: Squid with IPv6 fails to start on kernel without IPv6
- Bug 2559: Problem parsing /0 and /0.0.0.0
- Bug 2404: WCCP in mask mode is broken
- ... also all bugs closed by 3.0.STABLE14, 3.0.STABLE15, 3.0.STABLE16-RC1
- Complete Interception multiple NAT support
- Add Content-Disposition to the known headers list.
- Make PEER_TCP_MAGIC_COUNT configurable
- Fix pinger install location
- Enable TPROXY v4 spoofing of CONNECT requests
- ... and much documentation and code polishing
various configuration and example files. Leave the installation of the
example files to "pkgsrc" instead.
Problem reported by Hasso Tepper in private e-mail.
* New Version Numbering System
* Minimal squid.conf improvements
* Native IPv6 Support
* Error Page Localization
* Connection Pinning (for NTLM Auth Passthrough)
* Quality of Service (QoS) Flow support
* SSL Bump (for HTTPS Filtering and Adaptation)
* eCAP Adaptation Module support
This package is heavily based on work by Michael van Elst which includes
fixes for the IPv6 support.
