+Changes in squid-6.0.1 (06 Feb 2023):
+
+ - Bug 5256: Intercepting port fails to accept
+ - Bug 5241: Block all non-localhost requests by default
+ - Bug 5241: Block to-localhost, to-link-local requests by default
+ - Bug 5232: Fix GCC v12 build [-Wuse-after-free]
+ - Bug 5211: support.cc:355: "!filledCheck->sslErrors" assertion
+ - Bug 5194: Remove all unused debug sections
+ - Bug 5162: mgr:index URL do not produce MGR_INDEX template
+ - Bug 5129 pt1: remove Lock use from HttpRequestMethod
+ - Bug 5128: Translation: Fix % i typo in es/ERR_FORWARDING_DENIED
+ - Bug 5021: Add a script to fix spelling error with codespell
+ - Bug 4946: client_side_request.cc: "request != newRequest"
+ - Bug 4832: '!schemeAccess' assertion on exit
+ - Bug 4528: ICAP transactions quit on async DNS lookups
+ - Add scripts/trace-context.pl: a debugging tool
+ - Remove cache_diff tool
+ - Remove membanger tool
+ - Remove pconn-banger tool
+ - Remove recv-announce tool
+ - Remove send-announce tool
+ - Remove tcp-banger* tools
+ - Remove ufsdump tool
+ - Remove support for Gopher protocol
+ - Remove support for unused libbsd
+ - Remove bundled GnuRegex library
+ - Remove CPU profiler mechanism
+ - Remove leakfinder (--enable-leakfinder)
+ - Remove --enable-kill-parent-hack
+ - Remove --disable-loadable-modules
+ - Remove unused/disabled/broken LEAK_CHECK_MODE code
+ - Remove SCO 3.2 support
+ - Remove m88k-specific support
+ - Remove NeXTSTEP support
+ - Remove HPUX compiler support
+ - Remove CBDATA debugging
+ - Require C++17
+ - ext_kerberos_ldap_group_acl: Support -b with -D
+ - ext_lm_group_acl: Improved username handling
+ - negotiate_wrapper: ensure null-termination of strings
+ - pinger: Fix MAX_PKT{4,6}_SZ to account for icmpEchoData padding
+ - HTTP: Replaced X-Cache and X-Cache-Lookup headers with Cache-Status
+ - HTTP: Update Host, Via, and other headers in-place when possible
+ - HTTP: Update status code 413 compliance
+ - RFC 9110: Reject different HTTP requests with unusual framing
+ - RFC 9111: Stop treating Warning specially
+ - RFC 9113: update documentation references
+ - RFC 9218: Priority header registration
+ - SSL-Bump: Remove step2+ stare-and-splice and peek-and-bump support
+ - TLS: Do not send more than one self-signed certificate
+ - TLS: Sort CA certificates in tls-cert=bundle
+ - TLS: Preserve configured order of intermediate CA certificate chain
+ - WCCP: Validate packets better
+ - CI: Support "negative" squid-conf-tests
+ - CI: Maintenance: Support custom astyle versions
+ - CI: test-builds.sh: in case of error dump full log
+ - CI: Add --progress option to test-builds.sh
+ - CI: Change time_units test to also work on 32bit systems
+ - CI: Maintenance: Update astyle version to 3.1
+ - Add cache_log_message directive
+ - Add paranoid_hit_validation directive
+ - Add tls_key_log to report TLS communication secrets
+ - Add %busy_time logformat code
+ - Add %transport::>connection_id logformat code
+ - Add %request_attempts logformat code
+ - Warn about some bad from-helper annotations
+ - Ban acl key changes in req_header, rep_header, and note ACLs
+ - Optimize ephemeral port reuse with IP_BIND_ADDRESS_NO_PORT
+ - Honor httpd_suppress_version_string in more contexts
+ - Honor ftp_port worker-queues option
+ - Log early level-0/1 debugs() messages to cache_log
+ - Support reliable zeroing of sensitive buffers
+ - Do not overwrite caching bans
+ - Do not blame cache_peer for 4xx CONNECT responses
+ - Mimic GET reforwarding decisions when our CONNECT fails
+ - Discarded connections do not contribute to forward_max_tries
+ - Honor assertions during shutdown
+ - Do not stop listening after "ERROR: NAT/TPROXY lookup failed..."
+ - Do not skip problematic regexes in ACLs
+ - Improve coredump_dir on FreeBSD and Solaris based OS
+ - Avoid reverse DNS lookups when logformat %>A is unused
+ - BUG: Unexpected state while connecting to ... server
+ - Properly track (and mark) truncated store entries
+ - Support "file" syntax for 'squid_error' and 'has' ACL parameters
+ - Allow sending "squid -k ..." signals to PID 1
+ - Remove bogus "found KEY_PRIVATE" WARNINGs
+ - Avoid "BUG #3329: Lost orphan ..." during accept problems
+ - Report SMP store queues state (mgr:store_queues)
+ - Remove 8K limit for single access.log line
+ - Rename ./configure option --with-libxml2 to --with-xml2
+ - Rename ./configure option --with-libcap to --with-cap
+ - Match ./configure --help parameter names with their defaults
+ - Fix typo in manager ACL
+ - Fix milliseconds in certain cache.log messages
+ - Fix ignore-cc/act-as-origin in wildcard split-stack ports
+ - Fix comm.cc:644: "address.port() != 0" assertion
+ - Fix StoreMap.cc "anchorAt(anchorId).reading()" assertions
+ - Fix double-free segmentation fault on shutdown
+ - Fix client_side_request.cc:2028 "request->method.id()" assertion
+ - Fix reconfiguration leaking tls-cert=... memory
+ - Fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY handling
+ - Fix "mem_obj->inmem_lo == 0" assertion in StoreEntry::swapOut()
+ - Fix TCP keepalive
+ - Fix SslBump reconfiguration leaking public key memory
+ - Fix socket accounting for TCP accept()
+ - ... and many documentation changes
+ - ... and much code cleanup and polishing
+ - ... and all fixes from 5.8
+
Changes in squid-5.7 (05 Sep 2022):
- Regression Fix: Typo in manager ACL
<!doctype linuxdoc system>
<article>
-<title>Squid 6.0.0 release notes</title>
+<title>Squid 6.0.1 release notes</title>
<author>Squid Developers</author>
<abstract>
<toc>
<sect>Notice
-<p>The Squid Team are pleased to announce the release of Squid-6.0.0 for testing.
+<p>The Squid Team are pleased to announce the release of Squid-6.0.1 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v6/"> or the
<url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
<sect1>Known issues
<p>Although this release is deemed good enough for use in many setups, please note the existence of
<url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=6" name="open bugs against Squid-6">.
-<p>Support for compiling on HPUX with the native HP <em>xcc</em> compiler has been removed. To build on that OS/compiler combination, it is possible to pass these environemnt variables to ./configure: <em>CC="cxx -Ae" RANLIB=":"</em>
+
+<p>Support for compiling on HPUX with the native HP <em>xcc</em> compiler has been removed.
+ To build on that OS/compiler combination, it is possible to pass these environment variables
+ to ./configure: <em>CC="cxx -Ae" RANLIB=":"</em>
+
+<p>This release adds a dependency on C++17 support in any compiler used to build Squid.
+ GCC 8+ and Clang 8+ support C++17.
<sect1>Changes since earlier releases of Squid-6
<p>
-The Squid-6 change history can be <url url="http://www.squid-cache.org/Versions/v6/changesets/" name="viewed here">.
+The Squid-6 change history can be <url url="https://github.com/squid-cache/squid/commits/v6" name="viewed here">.
<sect>Major new features since Squid-5
<p>The most important of these new features are:
<itemize>
- <item>No new features documented yet.
+ <item>TLS ServerHello
+ <item>Log TLS Communication Secrets
+ <item>Ban ACL key Changes in ACLs
+ <item>Block to-local Traffic
+ <item>RFC 9211: HTTP Cache-Status support
+ <item>RFC 9111: Stop treating Warning specially
+ <item>ext_kerberos_ldap_group_acl: Support -b with -D
+ <item>Remove Gopher Protocol Support
+ <item>Remove Outdated Tools
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
+<sect1>TLS ServerHello
+<p>Squid is now more lenient towards misconfigured <em>tls-cert=</em> file
+ contents. Squid will attempt to sort the CA chain and send certificates in
+ the order required by TLS ServerHello.
+
+<p>Squid no longer sends the <em>tls-clientca=</em> on <em>https_port</em>
+ server handshakes. This fix breaks misconfigured Squid deployments that
+ (usually unknowingly) rely on the OpenSSL clientca 'leak' to build a
+ complete https_port server certificate chain sent to TLS clients. Such
+ deployments should add the right intermediate CA certificate(s) to their
+ <em>tls-cert=</em> bundle (or equivalent).
+
+<sect1>Log TLS Communication Secrets
+<p>Squid now records pre-master secret and related encryption details for TLS
+ connections accepted or established by Squid. These connections include
+ connections accepted at <em>https_port</em>, TLS connections opened to
+ origin servers/<em>cache_peer</em>/ICAP services, and TLS tunnels bumped by
+ Squid using the SslBump feature.
+
+<p>Logging of these details are controlled by the <em>tls_key_log</em>. See
+ <url url="http://www.squid-cache.org/Doc/config/tls_key_log/" name="squid.conf documentation">
+ for details.
+
+<sect1>Ban ACL key changes in ACLs
+<p>More info in the <url url="https://github.com/squid-cache/squid/commit/4a3b85322ce5a464175eb49ddb5be413794b25b8" name="commit description">
+
+<p>Certain Squid ACLs can check the value of a specific key=value where
+ the key name is configurable. These ACLs are unable to check multiple
+ different key names.
+
+<p>Squid did write a cache.log ERROR for req_header/rep_header key changes
+ but was silent about the preceding <em>note</em> ACL rules being
+ ineffective after a key name change.
+
+<p>Squid will now actively reject all such configurations.
+
+<sect1>Block to-local Traffic
+<p>More info in the policy change <url url="https://github.com/squid-cache/squid/commit/f13e556e4ce743369dee4782b78c87d65580ab00" name="commit">
+ and the ACL creation <url url="https://github.com/squid-cache/squid/commit/6d2f8ed096bf5c013b8560451e41d8772c64ba66" name="commit">
+
+<p>This Squid introduces the <em>to_linklocal</em> ACL as pre-defined to
+ match requests from 169.254.0.0/16 and fe80::/10.
+
+<p>The default configuration settings are changed to:
+<verb>
+ http_access allow localhost
+ http_access deny to_localhost
+ http_access deny to_linklocal
+ # http_access allow localnet
+</verb>
+
+<p>These changes only affect the default squid.conf and new installs.
+ Upgraded installations will continue to use their previous settings.
+
+<sect1>RFC 9211: HTTP Cache-Status support
+<p>See also <url url="https://www.rfc-editor.org/rfc/rfc9211" name="RFC 9211">
+
+<p>This HTTP header replaces <em>X-Cache</em> and <em>X-Cache-Lookup</em>
+ which are no longer emitted by Squid. Any tools or management systems
+ relying on those <em>X-</em> headers need to be upgraded to work with
+ the new standardized header.
+
+<sect1>RFC 9111: Stop treating Warning specially
+<p>RFC 9111 obsoletes the Warning header, removing all specification
+requirements about it
+
+<p>This Squid changes behaviour in regards to that header:
+<itemize>
+<item>1) Squid no longer adds Warning headers to generated or forwarded
+ messages. Miss responses from servers/peers and hits cached by an
+ older version of Squid may still have Warning headers.
+
+<item>2) On 304 revalidation, Warning header are treated the same as any
+ other/generic header. They are added or replaced according to their
+ presence in the 304 reply. Absent any Warning update by a 304, Squid
+ may still deliver cached content with old Warning headers.
+
+<item>3) Squid no longer validates received Warning headers. RFC 7234 placed
+ syntax requirements and limits on how old some Warning values could
+ be (when dated). Those checks are no longer being performed. The
+ header value is now treated as an opaque string.
+
+<item>4) Warning header usage and types are no longer tracked in message
+ statistics available through cache manager.
+</itemize>
+
+<sect1>ext_kerberos_ldap_group_acl: Support -b with -D
+<p>Previous versions of this helper ignore the <em>-b</em> option when
+ the <em>-D</em> option is used.
+
+<p>Fixing this limitation adds support for FreeIPA and limited subtree
+ searching.
+
+<sect1>Remove Gopher Protocol Support
+<p>With this change, Gopher requests will be handled like any other request
+with an unknown (to Squid) protocol. For example, HTTP requests with
+<em>gopher://</em> URL scheme result in ERR_UNSUP_REQ.
+
+<p>Default Squid configuration still considers TCP port 70 safe. The
+corresponding Safe_ports ACL rule has not been removed.
+
+<sect1>Removed Outdated Tools
+<p>We do not have enough resources/demand for maintaining these tools, they
+do require maintenance, and there are better tools available.
+
+<itemize>
+ <item><em>cache_diff</em> which has no users according to community
+ poll results in 2020.
+
+ <item><em>GnuRegex</em> library implementation. Modern operating
+ systems provide a functioning regex library, so we do not need to
+ carry one anymore.
+
+ <item><em>membanger</em> which has not built for many years.
+
+ <item><em>pconn-banger</em> lacked build rules since inception (1997)
+ and probably could not be built manually since at least 2007.
+
+ <item><em>recv-announce</em> which has not built for many years.
+
+ <item><em>send-announce</em> which is very much outdated and unused
+ since the decline of the <url url="http://ircache.nlanr.net/" name="NLANR IRCache"> service.
+
+ <item><em>tcp-banger2</em> is not built by default and probably could
+ not be built at all since at least 2006.
+
+ <item><em>tcp-banger3</em> lacked build rules since inception (1998)
+ and probably could not be built manually (by mimicking tcp-banger2
+ build commands) without warnings since 2002.
+
+ <item><em>tcp-banger.pl</em> has portability and code quality issues;
+ its basic functionality is supported by squidclient, wget, curl, and
+ others.
+
+ <item<em>ufsdump</em> was not built by default since 2010 and its build
+ has been failing since before 2017.
+</itemize>
+
<sect>Changes to squid.conf since Squid-5
<p>
<sect1>New directives<label id="newdirectives">
<p>
<descrip>
- <p>There have been no directives added.
+ <tag>paranoid_hit_validation</tag>
+ <p>Controls whether to perform extra internal checks when loading
+ entries from the on-disk cache
+
+ <tag>cache_log_message</tag>
+ <p>Configure logging options on a per-message basis, overriding the
+ per-section options. Message IDs are guaranteed stable across builds and
+ releases. Only a few messages support this for now.
</descrip>
<sect1>Changes to existing directives<label id="modifieddirectives">
<p>
<descrip>
+ <tag>time units</tag>
+ <p>All directives accepting time values now accept a time unit suffix
+ from nanosecond to decade
+
+ <tag>sslcrtvalidator_program</tag>
+ <p>New <em>ttl=infinity</em> option to disable TTL expiry on stored helper responses.
+
+ <tag>logformat</tag>
+ <p>New <em>transport::>connection_id</em> code to display which transport-level
+ connection the request was received.
+ <p>New <em>busy_time</em> code to display the cumulative CPU time spent processing
+ the request, excluding the time spent waiting for external resources.
+ WARNING: this time is approximate and is known to have bugs and gaps,
+ so consider it a lower bound
+ <p>New <em>request_attempts</em> code to display how many forwarding attempts were
+ made for this request.
+
<tag>server_cert_fingerprint</tag>
<p>Removed the broken <em>-sha</em> option. <em>SHA1</em> remains the default and only supported fingerprinting algorithm. Configuring it is unnecessary.
</descrip>
<sect1>Removed directives<label id="removeddirectives">
<p>
+<descrip>
+ <tag>announce_file</tag>
+ <p>Obsolete. Squid no longer provides functionality to enroll in the
+ cache registration service
+</descrip>
+</p>
+<p>
+<descrip>
+ <tag>announce_host</tag>
+ <p>Obsolete. Squid no longer provides functionality to enroll in the
+ cache registration service
+</descrip>
+</p>
+<p>
+<descrip>
+ <tag>announce_period</tag>
+ <p>Obsolete. Squid no longer provides functionality to enroll in the
+ cache registration service
+</descrip>
+</p>
+<p>
+<descrip>
+ <tag>announce_port</tag>
+ <p>Obsolete. Squid no longer provides functionality to enroll in the
+ cache registration service
+</descrip>
+</p>
+<p>
<descrip>
<tag>request_entities</tag>
<p>Obsolete. Squid accepts an entity (aka payload, body) on
<tag>--with-xml2</tag>
<p>Replacement for <em>--with-libxml2</em>.
+ <tag>--with-ldap</tag>
+ <p>Compile with OpenLDAP, Mozilla LDAP, or Windows LDAP support.
+ <p>LDAP support is enabled by default. Use <em>--without-ldap</em> to disable.
+
</descrip>
<sect1>Changes to existing options<label id="modifiedoptions">
<p>This feature has been of limited use since AsyncCalls feature
took over much of the CBDATA functionality.
+ <tag>--enable-gnuregex</tag>
+ <p>Squid no longer ships with a built-in GnuRegex implementation.
+
<tag>--enable-kill-parent-hack</tag>
<p>This feature has been deprecated for years. Other features such as
<em>--foreground</em> command line argument should be used instead.
+ <tag>--enable-leakfinder</tag>
+ <p>Removed. Using Valgrind for leak detection is still supported.
+
<tag>--disable-loadable-modules</tag>
<p>This option was performing the same duties as <em>--disable-shared</em>.
projects / thirdparty / squid.git / commitdiff
