Alexey Veselovsky <alexey.veselovsky@eykontech.com>
Alin Nastac <mrness@gentoo.org>
Alter <alter@alter.org.ua>
- Amos Jeffries <amosjeffries@squid-cache.org>
Amos Jeffries <squid3@treenet.co.nz>
Andreas Lamprecht <Andreas.Lamprecht@siemens.at>
Andres Kroonmaa <andre@ml.ee>
Arkin <arkin.yang@gmail.com>
Arthur Tumanyan <arthurtumanyan@yahoo.com>
Assar Westerlund <assar@pdc.kth.se>
- Automatic source maintenance <squidadm@squid-cache.org>
Axel Westerhold <ml.awesterhold@dts.de>
Benno Rice <benno@squid-cache.org>
Bertrand Jacquin <beber@meleeweb.net>
Graham Keeling <graham@equiinet.com>
Guido Serassio <serassio@squid-cache.org>
Hasso Tepper <hasso@estpak.ee>
- Henrik Nordstr?m <henrik@hlaptop.localdomain>
Henrik Nordstrom <henrik@henriknordstrom.net>
- Henrik Nordstrom <hno@squid-cache.org>
Hide Nagaoka <hide@cc.meisei-u.ac.jp>
Ian Castle <ian.castle@coldcomfortfarm.net>
Ian Turner <vectro@pipeline.com>
Jonathan Larmour <JLarmour@origin-at.co.uk>
Joshua Root <josh+squid@root.id.au>
Kieran Whitbread <k.j.whitbread@qmul.ac.uk>
- Kinkie <kinkie@squid-cache.org>
Klaubert Herr <klaubert@gmail.com>
Klaus Singvogel <kssingvo@suse.de>
Kolics Bertold <bertold@tohotom.vein.hu>
Philip Allison <philip.allison@smoothwall.net>
Philippe Lantin <plantin@cobaltgroup.com>
Pierangelo Masarati <ando@sys-net.it>
- Pierre-Louis BRENAC <brenacp@esiee.fr>
+ Pierre-Louis Brenac <brenacp@esiee.fr>
Przemek Czerkas <pczerkas@mgmnet.pl>
Rafael Martinez Torres <rmartine@fdi.ucm.es>
Rafal Ramocki <maniac@sistbg.net>
Richard Huveneers <Richard.Huveneers@hekkihek.hacom.nl>
Robert Collins <robertc@robertcollins.net>
Robert Forster
- Rodrigo Campos (rodrigo@geekbunker.org)
+ Rodrigo Campos <rodrigo@geekbunker.org>
Ron Gomes <rrg@ny.ubs.com>
Russell Street <r.street@auckland.ac.nz>
Russell Vincent <vincent@ucthpx.uct.ac.za>
Tony Lorimer <tlorimer@au.mdis.com>
Unknown - NetBSD Project
Vincent Regnard
- Vitaliy Matytsyn (main) <vm@if.bank.gov.ua>
+ Vitaliy Matytsyn <vm@if.bank.gov.ua>
Wesha <wesha@iname.com>
Wojtek Sylwestrzak <W.Sylwestrzak@icm.edu.pl>
Wolfgang Nothdurft <wolfgang@linogate.de>
benno@jeamland.net
fancyrabbit <fancyrabbit@gmail.com>
- rousskov
vollkommen <vollkommen@gmx.net>
==============================================================================
-helprs/negotiate_auth/kerberos/ *
+helpers/negotiate_auth/kerberos/ *
/*
* -----------------------------------------------------------------------------
==============================================================================
+icons/SN.png:
+
+ Squid NOW icon - copyright Squid Project
+
+ This work is licensed under the
+ Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported Liscence
+ (CC BY-NC-SA 3.0)
+ [ http://creativecommons.org/licenses/by-nc-sa/3.0/ ]
+
+==============================================================================
+
icons/silk/:
Silk icon set 1.3
FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
+
+==============================================================================
+
+errors/errorpage.css:
+
+ Stylesheet for Squid Error pages
+ Adapted from design by Free CSS Templates
+ http://www.freecsstemplates.org
+ Released for free under a Creative Commons Attribution 2.5 License
+
+==============================================================================
+Changes to squid-3.2.0.19 (02 Aug 2012):
+
+ - Regression Bug 3580: IDENT request makes squid crash
+ - Regression Bug 3577: File Descriptors not properly closed
+ - Regression Bug 3478: Allow peer selection and connection auth on intercepted traffic
+ - Regression Fix: Restore memory caching ability
+ - Bug 3556 Workaround: epoll assertion failed: comm.cc:1093: isOpen(fd)
+ - Bug 3551: store_rebuild.cc:116: "store_errors == 0" assertion
+ - Bug 3525: Do not resend nibbled PUTs and avoid "mustAutoConsume" assertion.
+ - Avoid bogus "Disk space over limit" warnings when rebuidling dirty ufs index
+ - Support custom headers in [request|reply]_header_* manglers
+ - ... and much code polishing
+
Changes to squid-3.2.0.18 (29 Jun 2012):
- Bug 3576: ICY streams being Transfer-Encoding:chunked
SUBDIRS += scripts icons errors doc helpers src tools test-suite
DISTCLEANFILES = include/stamp-h include/stamp-h[0-9]*
-DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'`
+DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'`
dist-hook:
@ for subdir in include; do \
INSTALL \
QUICKSTART \
README \
- SPONSORS \
+ SPONSORS.txt \
bootstrap.sh \
po4a.conf
In addition to the numerous volunteer developers (see CONTRIBUTORS),
-the following organizations have provided financial or other support for
-Squid:
+the following organizations have provided non-financial support for
+the Squid Project:
-The National Science Foundation
+@Squid-3.2:
+iiNet Ltd - http://www.iinet.net.au/
- The NSF was the primary funding source for Squid development
- from 1996-2000. Two grants (#NCR-9616602, #NCR-9521745)
- received through the Advanced Networking Infrastructure
- and Research (ANIR) Division were administered by the
- University of California San Diego.
+ iiNet Ltd contributed significant development resources to
+ Squid during its early stages and was instrumental in its
+ early adoption in the local internet community.
+ In Squid-2.6 and 3.0 iiNet supplied equipment to help develop
+ and test the WCCPv2 implementation.
+ In Squid-3.2 iiNet sponsored development time to resolve
+ authentication problems.
-MARA Systems AB - http://www.marasystems.com/
+LaunchPad - http://launchpad.net/
- MARA systems has sponsored the bug fixing and maintentnance for
- most Squid-2.5 releases, and a number of new features to be found
- in Squid-3.
+ Provide Bazaar mirroring services and host the Squid-3 developer
+ project code.
-Swell Technology - http://www.swelltech.com/
+Messagenet - http://messagenet.it/
- Swell Technology provides ongoing development and testing
- support to the Squid project, as well as hardware donations
- for Squid developers.
+ Messagenet donated hardware and bandwidth for the wiki server
+ and most continuous integration testing.
-Picture IQ - http://www.pictureiq.com/
+Palisade Systems - http://www.palisadesys.com/
- Bought simple support for the Vary header, to help their
- accelerator setups.
+ Palisade Systems funded SSL Bump feature development in Squid3.
-SGI - http://www.sgi.com/
+The Measurement Factory - http://www.measurement-factory.com/
- SGI has provided hardware donations for Squid developers.
+ Measurement Factory has constributed significant resources
+ toward Squid-3 development and server maintenance.
-Zope Corporation - http://www.zope.com/
+Treehouse Networks, NZ - http://treenet.co.nz/
- Zope Corporation funded the development of the ESI protocol
- (http://www.esi.org) in Squid to provide greater cachability
- of dynamic and personalized pages by caching common page
- components. Zope engaged one of the core Squid developers
- for the project.
+ Treehouse Networks has contributed significant resources
+ toward Squid-3 development and maintenance for their customer
+ gateways and CDN.
-craigslist - http://www.craigslist.org/
+@Squid-3.1:
+Barefruit - http://www.barefruit.com/
- craigslist has provided funding in recognition of the vital
- role squid plays in their web serving architecture.
+ Barefruit has funded Squid-3.0 and 3.1 development and maintenance,
+ with a focus on content adaptation (ICAP and eCAP) support.
+
+BBC (UK) and Siemens IT Solutions and Services (UK)
+
+ Provided developement and testing resources for Solaris /dev/poll
+ support in Squid-3.1.
webwasher AG - http://www.webwasher.com/
- webwasher AG paid for improvements to Squid's iCAP client
- implementation. You can find the results of this work
- at http://devel.squid-cache.org/icap/
+ webwasher AG paid for improvements to Squid-3.1 ICAP client
+ implementation.
-iiNet Ltd - http://www.iinet.net.au/
+SourceForge - http://www.sourceforge.net/
- iiNet Ltd contributed significant development resources to
- Squid during its early stages and was instrumental in its
- early adoption in the local internet community. iiNet has also
- recently supplied equipment to help develop and test the WCCPv2
- implementation in Squid-2.6 and Squid-3.
+ Provide CVS mirroring services and hosted the Squid-2 developer
+ project code.
+@Squid-3.0:
Kaspersky Lab - http://www.kaspersky.com/
Kaspersky Lab funded initial development of ICAP support in
- Squid-3.
-
-Barefruit - http://www.barefruit.com/
+ Squid-3.0
- Barefruit has funded Squid3 development and maintenance,
- with a focus on content adaptation (ICAP and eCAP) support.
-
-Palisade Systems - http://www.palisadesys.com/
+MARA Systems AB - http://www.marasystems.com/
- Palisade Systems funded SSL Bump feature development in Squid3.
+ MARA systems has sponsored the bug fixing and maintenance for
+ most Squid-2.5 releases, and a number of new features to be found
+ in Squid-3.0.
-Treehouse Networks, NZ - http://treenet.co.nz/
+Zope Corporation - http://www.zope.com/
- Treehouse Networks has contributed significant development resources
- toward Squid-3 development and maintenance for their customer
- gateways and CDN.
+ Zope Corporation funded the development of the ESI protocol
+ (http://www.esi.org) in Squid-3.0 to provide greater cachability
+ of dynamic and personalized pages by caching common page
+ components.
-BBC (UK) and Siemens IT Solutions and Services (UK)
+@Squid-2.7:
+Picture IQ - http://www.pictureiq.com/
- Provided developement and testing resources for Solaris /dev/poll
- support.
+ Picture IQ bought simple support for the Vary header to Squid-2.7,
+ to help their accelerator setups.
Yahoo! Inc. - http://www.yahoo.com/
Yahoo! Inc. supported the development of improved refresh
logics. Many thanks to Yahoo! Inc. for supporting the development
of these features.
+
+@Squid-2.6:
+Swell Technology - http://www.swelltech.com/
+
+ Swell Technology provided development and testing support to the
+ Squid-2 project, as well as hardware donations for Squid developers.
+
+@Squid-2.4:
+SGI - http://www.sgi.com/
+
+ SGI has provided hardware donations for Squid developers.
+
+@Squid-2.3:
+The National Science Foundation
+
+ The NSF was the primary funding source for Squid development
+ from 1996-2000. Two grants (#NCR-9616602, #NCR-9521745)
+ received through the Advanced Networking Infrastructure
+ and Research (ANIR) Division were administered by the
+ University of California San Diego.
fi
done
+# Make a copy of SPONSORS we can package
+sed -e 's/@Squid-[0-9\.]*://' <SPONSORS > SPONSORS.txt || (rm -f SPONSORS.txt && exit 1)
+
# Fixup autoconf recursion using --silent/--quiet option
# autoconf should inherit this option whe recursing into subdirectories
# but it currently doesn't for some reason.
dnl
dnl
dnl
-AC_INIT([Squid Web Proxy],[3.2.0.18-BZR],[http://www.squid-cache.org/bugs/],[squid])
+AC_INIT([Squid Web Proxy],[3.2.0.19-BZR],[http://www.squid-cache.org/bugs/],[squid])
AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
<itemize>
<item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
+ <item>eCAP library version 0.2.0 and later are not supported. See eCAP section below for details.
+ <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series.
+ Some attempts have been made to port for 3.1, but the unreliability of NAT handling in 3.1 makes this unsafe.
</itemize>
<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are:
<itemize>
- <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series.
<item>Windows support is still largely missing.
<item>AIX support for building with the IBM compiler is broken.
<item>OpenSSL 1.0.0 support is incomplete.
<p>Currently known and available eCAP modules are listed in the wiki feature page on eCAP.
+<p><em>Known Issue:</em> libecap version 0.0.3 (exactly) is required to build this series
+ of Squid. Other versions of libecap contain significant interface differences.
+
<sect1>ICAP Bypass and Retry enhancements
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
- <TITLE>Squid 3.2.0.18 release notes</TITLE>
+ <TITLE>Squid 3.2.0.19 release notes</TITLE>
</HEAD>
<BODY>
-<H1>Squid 3.2.0.18 release notes</H1>
+<H1>Squid 3.2.0.19 release notes</H1>
<H2>Squid Developers</H2>
<HR>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.1</A></H2>
<UL>
-<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.</A>
-<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">SMP scalability</A>
-<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Helper Multiplexer</A>
-<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Helpers On-Demand</A>
-<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Helper Name Changes</A>
-<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Multi-Lingual manuals</A>
-<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">Solaris 10 pthreads Support (Experimental)</A>
-<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Surrogate/1.0 protocol extensions to HTTP</A>
-<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">Logging Infrastructure Updated</A>
-<LI><A NAME="toc2.10">2.10</A> <A HREF="#ss2.10">Client Bandwidth Limits</A>
-<LI><A NAME="toc2.11">2.11</A> <A HREF="#ss2.11">Better eCAP Suport</A>
-<LI><A NAME="toc2.12">2.12</A> <A HREF="#ss2.12">Cache Manager access changes</A>
+<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">CVE-2009-0801 : NAT interception vulnerability to malicious clients.</A>
+<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">NCSA helper DES algorithm password limits</A>
+<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SMP scalability</A>
+<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Helper Multiplexer</A>
+<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Helpers On-Demand</A>
+<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Helper Name Changes</A>
+<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">Multi-Lingual manuals</A>
+<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Solaris 10 pthreads Support (Experimental)</A>
+<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">Surrogate/1.0 protocol extensions to HTTP</A>
+<LI><A NAME="toc2.10">2.10</A> <A HREF="#ss2.10">Logging Infrastructure Updated</A>
+<LI><A NAME="toc2.11">2.11</A> <A HREF="#ss2.11">Client Bandwidth Limits</A>
+<LI><A NAME="toc2.12">2.12</A> <A HREF="#ss2.12">Better eCAP Suport</A>
+<LI><A NAME="toc2.13">2.13</A> <A HREF="#ss2.13">Cache Manager access changes</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.1</A></H2>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
-<P>The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.2/">http://www.squid-cache.org/Versions/v3/3.2/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.2&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=">open bugs against Squid-3.2</A>.</P>
+<P>Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:</P>
+<P>
+<UL>
+<LI>CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details.</LI>
+<LI>TCP logging of access.log does not recover from broken connections well.</LI>
+</UL>
+</P>
+
<P>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:</P>
<P>
<UL>
-<LI>CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details.</LI>
<LI>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.</LI>
<LI>Windows support is still incomplete.</LI>
-<LI>TCP logging of access.log does not recover from broken connections well.</LI>
<LI>The lack of some features available in Squid-2.x series. See the regression sections below for full details.</LI>
</UL>
</P>
<P>The most important of these new features are:
<UL>
-<LI>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.</LI>
+<LI>CVE-2009-0801 : NAT interception vulnerability to malicious clients.</LI>
+<LI>NCSA helper DES algorithm password limits</LI>
<LI>SMP scalability</LI>
<LI>Helper Multiplexer and On-Demand</LI>
<LI>Helper Name Changes</LI>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
-<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.</A>
+<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">CVE-2009-0801 : NAT interception vulnerability to malicious clients.</A>
</H2>
<P>Details in Advisory
can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.</P>
<P>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
-so to the orginal destination IP the client was contacting. This means that interception
-proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy.
+so safely to the orginal destination IP the client was contacting. The client original
+destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers
+are at risk of cache poisoning from CVE-2009-0801 vulnerability.
Developer time is required to implement safe transit of these requests.
Please contact squid-dev if you are able to assist or sponsor the development.</P>
-<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">SMP scalability</A>
+<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">NCSA helper DES algorithm password limits</A>
+</H2>
+
+<P>Details in Advisory
+<A HREF="http://www.squid-cache.org/Advisories/SQUID-2011_2.txt">SQUID-2011:2</A></P>
+
+<P>The DES algorithm used by the NCSA Basic authentication helper has an
+limit of 8 bytes but some implementations do not error when truncating
+longer passwords down to this unsafe level.</P>
+
+<P>This both significantly lowers the threshold of difficulty decrypting
+captured password files and hides from users the fact that the extra bits
+of their chosen long password is not being utilized.</P>
+
+<P>The NCSA helper bundled with Squid will prevent passwords longer than 8
+characters being sent to the DES algorithm. The MD5 hash algorithm which
+supports longer than 8 character passwords is also supported by this helper
+and should be used instead.</P>
+
+
+<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SMP scalability</A>
</H2>
<P>The new "workers" squid.conf option can be used to launch multiple worker
configuration" and "SMP-Related Macros" sections in squid.conf.documented.</P>
-<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Helper Multiplexer</A>
+<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Helper Multiplexer</A>
</H2>
<P>The helper multiplexer's purpose is to relieve some of the burden
</P>
-<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Helpers On-Demand</A>
+<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Helpers On-Demand</A>
</H2>
<P>Traditionally Squid has been configured with a fixed number of helpers and started them during
of starting the maximum number of helpers will occur.</P>
-<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Helper Name Changes</A>
+<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Helper Name Changes</A>
</H2>
<P>To improve the understanding of what each helper does and where it should be used the helper binaries
</P>
-<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Multi-Lingual manuals</A>
+<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">Multi-Lingual manuals</A>
</H2>
<P>The man(8) and man(1) pages bundled with Squid are now provided online for all
This move begins the Localization of the internal administrator facing manuals.</P>
-<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">Solaris 10 pthreads Support (Experimental)</A>
+<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Solaris 10 pthreads Support (Experimental)</A>
</H2>
<P>Automatic detection and use of the pthreads library available from Solaris 10</P>
We recommend giving AUFS a try for faster disk storage and encourage feedback.</P>
-<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Surrogate/1.0 protocol extensions to HTTP</A>
+<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">Surrogate/1.0 protocol extensions to HTTP</A>
</H2>
<P>The <EM>Surrogate</EM> extensions to HTTP protocol enable an origin web server to specify separate
is required to prevent an unacceptable surrogate ID of 'localhost' being generated.</P>
-<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">Logging Infrastructure Updated</A>
+<H2><A NAME="ss2.10">2.10</A> <A HREF="#toc2.10">Logging Infrastructure Updated</A>
</H2>
<P>The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2.</P>
At present it will restart the affected Squid instance if the TCP connection is broken.</P>
-<H2><A NAME="ss2.10">2.10</A> <A HREF="#toc2.10">Client Bandwidth Limits</A>
+<H2><A NAME="ss2.11">2.11</A> <A HREF="#toc2.11">Client Bandwidth Limits</A>
</H2>
<P>In mobile environments, Squid may need to limit Squid-to-client bandwidth
high-bandwidth environments.</P>
-<H2><A NAME="ss2.11">2.11</A> <A HREF="#toc2.11">Better eCAP Suport</A>
+<H2><A NAME="ss2.12">2.12</A> <A HREF="#toc2.12">Better eCAP Suport</A>
</H2>
<P>Support for libecap version 0.2.0 has been added with this series of Squid. Bringing
against any older libecap releases.</P>
-<H2><A NAME="ss2.12">2.12</A> <A HREF="#toc2.12">Cache Manager access changes</A>
+<H2><A NAME="ss2.13">2.13</A> <A HREF="#toc2.13">Cache Manager access changes</A>
</H2>
<P>The Squid Cache Manager has previously only been accessible under the cache_object://
<P>New option <EM>max-stale=</EM> to provide a maximum staleness factor. Squid won't
serve objects more stale than this even if it failed to validate the object.</P>
+<DT><B>reply_header_access</B><DD>
+<P>Added support for custom response header names.</P>
+
+<DT><B>request_header_access</B><DD>
+<P>Added support for custom request header names.</P>
+
+<DT><B>reply_header_replace</B><DD>
+<P>Added support for custom response header names.</P>
+
+<DT><B>request_header_replace</B><DD>
+<P>Added support for custom request header names.</P>
+
<DT><B>tcp_outgoing_address</B><DD>
<P>This parameter is now compatible with persistent server connections.
The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.</P>
<!doctype linuxdoc system>
<article>
-<title>Squid 3.2.0.18 release notes</title>
+<title>Squid 3.2.0.19 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing.
+The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<p>
Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.2&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.2">.
+<p>Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:
+
+<itemize>
+ <item>CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details.
+ <item>TCP logging of access.log does not recover from broken connections well.
+</itemize>
+
<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
<itemize>
- <item>CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details.
<item>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.
<item>Windows support is still incomplete.
- <item>TCP logging of access.log does not recover from broken connections well.
<item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
</itemize>
<p>The most important of these new features are:
<itemize>
- <item>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
+ <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
<item>NCSA helper DES algorithm password limits
<item>SMP scalability
<item>Helper Multiplexer and On-Demand
Most user-facing changes are reflected in squid.conf (see below).
-<sect1>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
+<sect1>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:1">
<p>Squid locates the authority-URL details available in an HTTP request as
can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.
<p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
- so to the orginal destination IP the client was contacting. This means that interception
- proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy.
+ so safely to the orginal destination IP the client was contacting. The client original
+ destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers
+ are at risk of cache poisoning from CVE-2009-0801 vulnerability.
Developer time is required to implement safe transit of these requests.
Please contact squid-dev if you are able to assist or sponsor the development.
<sect1>NCSA helper DES algorithm password limits
-<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:2">
+<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_2.txt" name="SQUID-2011:2">
<p>The DES algorithm used by the NCSA Basic authentication helper has an
limit of 8 bytes but some implementations do not error when truncating
<p>New option <em>max-stale=</em> to provide a maximum staleness factor. Squid won't
serve objects more stale than this even if it failed to validate the object.
+ <tag>reply_header_access</tag>
+ <p>Added support for custom response header names.</p>
+
+ <tag>request_header_access</tag>
+ <p>Added support for custom request header names.</p>
+
+ <tag>reply_header_replace</tag>
+ <p>Added support for custom response header names.</p>
+
+ <tag>request_header_replace</tag>
+ <p>Added support for custom request header names.</p>
+
<tag>tcp_outgoing_address</tag>
<p>This parameter is now compatible with persistent server connections.
The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.
projects / thirdparty / squid.git / commitdiff
