+Changes to squid-3.2.0.11 (28 Aug 2011):
+
+ - Bug 3243: CVE-2009-0801 Bypass of browser same-origin access control
+ - Host: authority validation of intercepted destination IP
+ - Host: authority validation of request URL
+ - Host: authority validation of CONNECT tunnel destination
+ - Preserve client destination IP in intercepted communication
+ - Regression Bug 3316: Failed to connect to nameserver using TCP
+ - Regression Bug 3311: segmentation fault in getMyPort() with only intercept port set
+ - Regression Bug 3310: %<pt translates as %<p
+ - Regression Bug 3301: ERR_DNS_FAIL never shown (partial)
+ - Regression Bug 3288: %<la and %<lp not displaying
+ - Bug 3289: cache manager parameters not parsed without password
+ - Bug 2279: Log Format options to log server source IP and port
+ - Bug 3211: ssl_crtd start even if no ssl-bump port is configured
+ - Bug 3138: squidclient mgr:objects/mgr:vm_objects never ends
+ - Bug 3118: ecap_enable on forces icap_enable on
+ - Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes
+ - Default to vhost for accelerator mode (reverse proxy)
+ - Display HTTP protocol syntax at section 11 level 2
+ - Support for using custom keys in CARP parents
+ - Optimize regular expression ACLs
+ - ... and a lot of code portability fixes
+ - ... and all bugs and polish changes from 3.1.15
+
Changes to squid-3.2.0.10 (24 Jul 2011):
- Port from 2.7: act-as-origin for reverse proxy ports
Changes to squid-3.1.15 (28 Aug 2011):
- Regression fix: vhost and defaultsite causing vport to be ignored
+ - Regression Bug 3295: broken escaping in rfc1738_do_escape
- Bug #3232: fails to compile with OpenSSL v1.0.0
- Bug #3222: cache_peer name is not logging on CONNECT
- Bug #3131: fd_table[fd].closing() assert from ConnStateData::noteMoreBodySpaceAvailable()
- Bug #1791: timestampsSet does not validate Date: if server sends very old date
- Correct parsing of large Gopher indexes
- Enable negative cacheing on unknown or -1 expiry timestamp
+ - Remove hierarchy_stoplist default value
- Migrate cf_gen tool from C-style to C++
- ... and several documentation and compiler warning fixes
<itemize>
<item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
- <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
+ <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series.
</itemize>
<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are:
<!doctype linuxdoc system>
<article>
-<title>Squid 3.2.0.10 release notes</title>
+<title>Squid 3.2.0.11 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.2.0.10 for testing.
+The Squid Team are pleased to announce the release of Squid-3.2.0.11 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
-We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d"> for how to submit a report with a stack trace.
+We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a
+report with a stack trace.
<sect1>Known issues
<p>
<p>The most important of these new features are:
<itemize>
+ <item>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
<item>SMP scalability
<item>Helper Multiplexer and On-Demand
<item>Helper Name Changes
Most user-facing changes are reflected in squid.conf (see below).
+<sect1>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
+<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:1">
+
+<p>Squid locates the authority-URL details available in an HTTP request as
+ defined by RFC 2616 and validates that all found representations are
+ <em>textually</em> equivalent. In the case of intercepted traffic the
+ client destination IP is also compared to the Host: authority domains
+ DNS entries.
+
+<p>When the Host: authority contradicts another authority source Squid will log
+ "SECURITY ALERT: Host: header forgery detected" and respond with a 409 Conflict
+ error status page.
+
+
<sect1>SMP scalability
<p>The new "workers" squid.conf option can be used to launch multiple worker
processes and utilize multiple CPU cores. The overall intent is to make
client-side delay pool for the request.
<tag>client_dst_passthru</tag>
- <p>New setting to disable Host: header security on interception proxies.
+ <p>New setting to disable extra Host: header security on interception proxies.
Impacts cache integrity/reliability and client browser security.
+ <p><em>IMPORTANT:</em> disabling this directive only allows Squid to change the
+ destination IP to another source indicated by Host: domain DNS or
+ cache_peer configuration. It <em>does not</em> affect Host: validation.
<tag>cpu_affinity_map</tag>
<p>New setting for SMP support to map Squid processes onto specific CPU cores.
projects / thirdparty / squid.git / commitdiff
