From: Amos Jeffries Date: Thu, 2 Feb 2023 19:47:05 +0000 (+0000) Subject: V6 release prep (#1245) X-Git-Tag: SQUID_6_0_1~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=552d1774787e0ef11b850837f8be9aa3b67af9ee;p=thirdparty%2Fsquid.git V6 release prep (#1245) --- diff --git a/ChangeLog b/ChangeLog index 49174d44b8..196e206f5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,112 @@ +Changes in squid-6.0.1 (06 Feb 2023): + + - Bug 5256: Intercepting port fails to accept + - Bug 5241: Block all non-localhost requests by default + - Bug 5241: Block to-localhost, to-link-local requests by default + - Bug 5232: Fix GCC v12 build [-Wuse-after-free] + - Bug 5211: support.cc:355: "!filledCheck->sslErrors" assertion + - Bug 5194: Remove all unused debug sections + - Bug 5162: mgr:index URL do not produce MGR_INDEX template + - Bug 5129 pt1: remove Lock use from HttpRequestMethod + - Bug 5128: Translation: Fix % i typo in es/ERR_FORWARDING_DENIED + - Bug 5021: Add a script to fix spelling error with codespell + - Bug 4946: client_side_request.cc: "request != newRequest" + - Bug 4832: '!schemeAccess' assertion on exit + - Bug 4528: ICAP transactions quit on async DNS lookups + - Add scripts/trace-context.pl: a debugging tool + - Remove cache_diff tool + - Remove membanger tool + - Remove pconn-banger tool + - Remove recv-announce tool + - Remove send-announce tool + - Remove tcp-banger* tools + - Remove ufsdump tool + - Remove support for Gopher protocol + - Remove support for unused libbsd + - Remove bundled GnuRegex library + - Remove CPU profiler mechanism + - Remove leakfinder (--enable-leakfinder) + - Remove --enable-kill-parent-hack + - Remove --disable-loadable-modules + - Remove unused/disabled/broken LEAK_CHECK_MODE code + - Remove SCO 3.2 support + - Remove m88k-specific support + - Remove NeXTSTEP support + - Remove HPUX compiler support + - Remove CBDATA debugging + - Require C++17 + - ext_kerberos_ldap_group_acl: Support -b with -D + - ext_lm_group_acl: Improved username handling + - negotiate_wrapper: ensure null-termination of strings + - pinger: Fix MAX_PKT{4,6}_SZ to account for icmpEchoData padding + - HTTP: Replaced X-Cache and X-Cache-Lookup headers with Cache-Status + - HTTP: Update Host, Via, and other headers in-place when possible + - HTTP: Update status code 413 compliance + - RFC 9110: Reject different HTTP requests with unusual framing + - RFC 9111: Stop treating Warning specially + - RFC 9113: update documentation references + - RFC 9218: Priority header registration + - SSL-Bump: Remove step2+ stare-and-splice and peek-and-bump support + - TLS: Do not send more than one self-signed certificate + - TLS: Sort CA certificates in tls-cert=bundle + - TLS: Preserve configured order of intermediate CA certificate chain + - WCCP: Validate packets better + - CI: Support "negative" squid-conf-tests + - CI: Maintenance: Support custom astyle versions + - CI: test-builds.sh: in case of error dump full log + - CI: Add --progress option to test-builds.sh + - CI: Change time_units test to also work on 32bit systems + - CI: Maintenance: Update astyle version to 3.1 + - Add cache_log_message directive + - Add paranoid_hit_validation directive + - Add tls_key_log to report TLS communication secrets + - Add %busy_time logformat code + - Add %transport::>connection_id logformat code + - Add %request_attempts logformat code + - Warn about some bad from-helper annotations + - Ban acl key changes in req_header, rep_header, and note ACLs + - Optimize ephemeral port reuse with IP_BIND_ADDRESS_NO_PORT + - Honor httpd_suppress_version_string in more contexts + - Honor ftp_port worker-queues option + - Log early level-0/1 debugs() messages to cache_log + - Support reliable zeroing of sensitive buffers + - Do not overwrite caching bans + - Do not blame cache_peer for 4xx CONNECT responses + - Mimic GET reforwarding decisions when our CONNECT fails + - Discarded connections do not contribute to forward_max_tries + - Honor assertions during shutdown + - Do not stop listening after "ERROR: NAT/TPROXY lookup failed..." + - Do not skip problematic regexes in ACLs + - Improve coredump_dir on FreeBSD and Solaris based OS + - Avoid reverse DNS lookups when logformat %>A is unused + - BUG: Unexpected state while connecting to ... server + - Properly track (and mark) truncated store entries + - Support "file" syntax for 'squid_error' and 'has' ACL parameters + - Allow sending "squid -k ..." signals to PID 1 + - Remove bogus "found KEY_PRIVATE" WARNINGs + - Avoid "BUG #3329: Lost orphan ..." during accept problems + - Report SMP store queues state (mgr:store_queues) + - Remove 8K limit for single access.log line + - Rename ./configure option --with-libxml2 to --with-xml2 + - Rename ./configure option --with-libcap to --with-cap + - Match ./configure --help parameter names with their defaults + - Fix typo in manager ACL + - Fix milliseconds in certain cache.log messages + - Fix ignore-cc/act-as-origin in wildcard split-stack ports + - Fix comm.cc:644: "address.port() != 0" assertion + - Fix StoreMap.cc "anchorAt(anchorId).reading()" assertions + - Fix double-free segmentation fault on shutdown + - Fix client_side_request.cc:2028 "request->method.id()" assertion + - Fix reconfiguration leaking tls-cert=... memory + - Fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY handling + - Fix "mem_obj->inmem_lo == 0" assertion in StoreEntry::swapOut() + - Fix TCP keepalive + - Fix SslBump reconfiguration leaking public key memory + - Fix socket accounting for TCP accept() + - ... and many documentation changes + - ... and much code cleanup and polishing + - ... and all fixes from 5.8 + Changes in squid-5.7 (05 Sep 2022): - Regression Fix: Typo in manager ACL diff --git a/configure.ac b/configure.ac index b63ea2103c..021494632e 100644 --- a/configure.ac +++ b/configure.ac @@ -132,6 +132,9 @@ AC_SUBST(AR_R) AC_PATH_PROG(LINUXDOC, linuxdoc, $FALSE) AM_CONDITIONAL(ENABLE_RELEASE_DOCS, test "x${ac_cv_path_LINUXDOC}" != "x$FALSE") +SQUID_RELEASE=`echo $VERSION | cut -d. -f1` +AC_SUBST(SQUID_RELEASE) + # pre-define DEFAULT_PREFIX, some modules need it. AS_IF([test "${prefix}" = "NONE"],[squid_prefix=$ac_default_prefix],[squid_prefix=$prefix]) AC_DEFINE_UNQUOTED(DEFAULT_PREFIX,[$squid_prefix],[The install prefix]) diff --git a/doc/release-notes/Makefile.am b/doc/release-notes/Makefile.am index e3d1b9e299..b5821c857e 100644 --- a/doc/release-notes/Makefile.am +++ b/doc/release-notes/Makefile.am @@ -8,16 +8,7 @@ # requires the linuxdoc tools if ENABLE_RELEASE_DOCS -DOC= release-6 - -%.ps: %.sgml - linuxdoc -B latex -o ps $(DOC) - -#$(DOC).dvi: $(DOC).tex -# latex $(DOC).tex -# latex $(DOC).tex -# latex $(DOC).tex -# +DOC= release-$(SQUID_RELEASE) %.txt: %.sgml linuxdoc -B txt --filter $< @@ -28,7 +19,10 @@ DOC= release-6 cp -p $@ $(top_builddir)/RELEASENOTES.html %.man: %.sgml - linuxdoc -B txt -T 2 -m $(DOC) + linuxdoc -B txt --manpage $< + +%.info: %.sgml + linuxdoc -B info $< dist-hook: $(DOC).html @if test -f $(builddir)/$(DOC).html; then \ diff --git a/doc/release-notes/release-6.sgml b/doc/release-notes/release-6.sgml index e043936fc3..3b40366f2f 100644 --- a/doc/release-notes/release-6.sgml +++ b/doc/release-notes/release-6.sgml @@ -1,6 +1,6 @@
-Squid 6.0.0 release notes +Squid 6.0.1 release notes Squid Developers @@ -12,7 +12,7 @@ for Applied Network Research and members of the Web Caching community. Notice -

The Squid Team are pleased to announce the release of Squid-6.0.0 for testing. +

The Squid Team are pleased to announce the release of Squid-6.0.1 for testing. This new release is available for download from or the . @@ -25,11 +25,17 @@ This new release is available for download from . -

Support for compiling on HPUX with the native HP xcc compiler has been removed. To build on that OS/compiler combination, it is possible to pass these environemnt variables to ./configure: CC="cxx -Ae" RANLIB=":" + +

Support for compiling on HPUX with the native HP xcc compiler has been removed. + To build on that OS/compiler combination, it is possible to pass these environment variables + to ./configure: CC="cxx -Ae" RANLIB=":" + +

This release adds a dependency on C++17 support in any compiler used to build Squid. + GCC 8+ and Clang 8+ support C++17. Changes since earlier releases of Squid-6

-The Squid-6 change history can be . +The Squid-6 change history can be . Major new features since Squid-5 @@ -37,11 +43,157 @@ The Squid-6 change history can be + for details. + +Ban ACL key changes in ACLs +

More info in the + +

Certain Squid ACLs can check the value of a specific key=value where + the key name is configurable. These ACLs are unable to check multiple + different key names. + +

Squid did write a cache.log ERROR for req_header/rep_header key changes + but was silent about the preceding note ACL rules being + ineffective after a key name change. + +

Squid will now actively reject all such configurations. + +Block to-local Traffic +

More info in the policy change + and the ACL creation + +

This Squid introduces the to_linklocal ACL as pre-defined to + match requests from 169.254.0.0/16 and fe80::/10. + +

The default configuration settings are changed to: + + http_access allow localhost + http_access deny to_localhost + http_access deny to_linklocal + # http_access allow localnet + + +

These changes only affect the default squid.conf and new installs. + Upgraded installations will continue to use their previous settings. + +RFC 9211: HTTP Cache-Status support +

See also + +

This HTTP header replaces X-Cache and X-Cache-Lookup + which are no longer emitted by Squid. Any tools or management systems + relying on those X- headers need to be upgraded to work with + the new standardized header. + +RFC 9111: Stop treating Warning specially +

RFC 9111 obsoletes the Warning header, removing all specification +requirements about it + +

This Squid changes behaviour in regards to that header: + +1) Squid no longer adds Warning headers to generated or forwarded + messages. Miss responses from servers/peers and hits cached by an + older version of Squid may still have Warning headers. + +2) On 304 revalidation, Warning header are treated the same as any + other/generic header. They are added or replaced according to their + presence in the 304 reply. Absent any Warning update by a 304, Squid + may still deliver cached content with old Warning headers. + +3) Squid no longer validates received Warning headers. RFC 7234 placed + syntax requirements and limits on how old some Warning values could + be (when dated). Those checks are no longer being performed. The + header value is now treated as an opaque string. + +4) Warning header usage and types are no longer tracked in message + statistics available through cache manager. + + +ext_kerberos_ldap_group_acl: Support -b with -D +

Previous versions of this helper ignore the -b option when + the -D option is used. + +

Fixing this limitation adds support for FreeIPA and limited subtree + searching. + +Remove Gopher Protocol Support +

With this change, Gopher requests will be handled like any other request +with an unknown (to Squid) protocol. For example, HTTP requests with +gopher:// URL scheme result in ERR_UNSUP_REQ. + +

Default Squid configuration still considers TCP port 70 safe. The +corresponding Safe_ports ACL rule has not been removed. + +Removed Outdated Tools +

We do not have enough resources/demand for maintaining these tools, they +do require maintenance, and there are better tools available. + + + cache_diff which has no users according to community + poll results in 2020. + + GnuRegex library implementation. Modern operating + systems provide a functioning regex library, so we do not need to + carry one anymore. + + membanger which has not built for many years. + + pconn-banger lacked build rules since inception (1997) + and probably could not be built manually since at least 2007. + + recv-announce which has not built for many years. + + send-announce which is very much outdated and unused + since the decline of the service. + + tcp-banger2 is not built by default and probably could + not be built at all since at least 2006. + + tcp-banger3 lacked build rules since inception (1998) + and probably could not be built manually (by mimicking tcp-banger2 + build commands) without warnings since 2002. + + tcp-banger.pl has portability and code quality issues; + its basic functionality is supported by squidclient, wget, curl, and + others. + + ufsdump was not built by default since 2010 and its build + has been failing since before 2017. + + Changes to squid.conf since Squid-5

@@ -57,18 +209,70 @@ This section gives an account of those changes in three categories: New directives

-

There have been no directives added. + paranoid_hit_validation +

Controls whether to perform extra internal checks when loading + entries from the on-disk cache + + cache_log_message +

Configure logging options on a per-message basis, overriding the + per-section options. Message IDs are guaranteed stable across builds and + releases. Only a few messages support this for now. Changes to existing directives

+ time units +

All directives accepting time values now accept a time unit suffix + from nanosecond to decade + + sslcrtvalidator_program +

New ttl=infinity option to disable TTL expiry on stored helper responses. + + logformat +

New transport::>connection_id code to display which transport-level + connection the request was received. +

New busy_time code to display the cumulative CPU time spent processing + the request, excluding the time spent waiting for external resources. + WARNING: this time is approximate and is known to have bugs and gaps, + so consider it a lower bound +

New request_attempts code to display how many forwarding attempts were + made for this request. + server_cert_fingerprint

Removed the broken -sha option. SHA1 remains the default and only supported fingerprinting algorithm. Configuring it is unnecessary. Removed directives

+ + announce_file +

Obsolete. Squid no longer provides functionality to enroll in the + cache registration service + +

+

+ + announce_host +

Obsolete. Squid no longer provides functionality to enroll in the + cache registration service + +

+

+ + announce_period +

Obsolete. Squid no longer provides functionality to enroll in the + cache registration service + +

+

+ + announce_port +

Obsolete. Squid no longer provides functionality to enroll in the + cache registration service + +

+

request_entities

Obsolete. Squid accepts an entity (aka payload, body) on @@ -110,6 +314,10 @@ This section gives an account of those changes in three categories: --with-xml2

Replacement for --with-libxml2. + --with-ldap +

Compile with OpenLDAP, Mozilla LDAP, or Windows LDAP support. +

LDAP support is enabled by default. Use --without-ldap to disable. + Changes to existing options

This feature has been of limited use since AsyncCalls feature took over much of the CBDATA functionality. + --enable-gnuregex +

Squid no longer ships with a built-in GnuRegex implementation. + --enable-kill-parent-hack

This feature has been deprecated for years. Other features such as --foreground command line argument should be used instead. + --enable-leakfinder +

Removed. Using Valgrind for leak detection is still supported. + --disable-loadable-modules

This option was performing the same duties as --disable-shared.