dnl Netfilter TPROXY depends on libcap but the NAT parts can still work.
AC_MSG_NOTICE([Support for Netfilter-based interception proxy requested: $enable_linux_netfilter])
if test "x$enable_linux_netfilter" = "xyes" -a "x$with_libcap" != "xyes" ; then
- AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
- AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
- AC_MSG_WARN([Reduced support to Interception Proxy])
+ AC_MSG_WARN([Missing needed capabilities (libcap 2.09+) for TPROXY])
+ AC_MSG_WARN([Linux Transparent Proxy (version 4+) support WILL NOT be enabled])
+ AC_MSG_WARN([Reduced support to NAT Interception Proxy])
# AC_DEFINEd later
fi
if test "x$squid_opt_netfilterconntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then
- AC_MSG_ERROR([Linux netfilter conntrack requires libcap support (libcap or libcap2)])
+ AC_MSG_ERROR([Linux netfilter conntrack requires libcap support (libcap 2.09+)])
fi
if test "x$with_netfilter_conntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then
- AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for netfilter mark support])
+ AC_MSG_WARN([Missing needed capabilities (libcap 2.09+) for netfilter mark support])
AC_MSG_WARN([Linux netfilter marking support WILL NOT be enabled])
with_netfilter_conntrack=no
fi
<!doctype linuxdoc system>
<article>
-<title>Squid 3.2.0.19 release notes</title>
+<title>Squid 3.2.1 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing.
+The Squid Team are pleased to announce the release of Squid-3.2.1 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<p>Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:
<itemize>
- <item>CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details.
<item>TCP logging of access.log does not recover from broken connections well.
+ <item>SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.
+ <item>Cache Manager reports in txt/plain format even when requested directly via browser.
</itemize>
<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
directive. Squid will respond with 409 Conflict error response when strict validation
fails and handles the request normally when strict validation succeeds or is OFF (default).
-<p>Relaying of messages which FAIL non-strct Host: validation are permitted through Squid but
- only to the original destination IP the client was requesting. This means interception proxies
- can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.
+<p>Relaying of messages which FAIL non-strict Host: validation are permitted through Squid but
+ only to the original destination IP the client was requesting or to explicit peers. This means
+ DNS lookups to locate alternative DIRECT destinations will not be done.
<p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
so safely to the orginal destination IP the client was contacting. The client original
- destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers
- are at risk of cache poisoning from CVE-2009-0801 vulnerability.
+ destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers
+ are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability.
Developer time is required to implement safe transit of these requests.
Please contact squid-dev if you are able to assist or sponsor the development.
<sect1>Removed squid.conf options since Squid-2.6
<p>
<descrip>
+ <tag>acl</tag>
+ <p><em>urlgroup</em> type removed. Use <em>myportname</em> type instead.
+
<tag>cache_dir</tag>
<p><em>read-only</em> option replaced by <em>no-store</em>.
+ <tag>http_port</tag>
+ <p><em>urlgroup=</em> removed. Use <em>name=</em> feature instead.
+
+ <tag>zero_buffers</tag>
+ <p>Replaced by native support.
+
</descrip>
<sect1>Removed ./configure options since Squid-2.7
<tag>--disable-kqueue</tag>
<p>Obsolete. Disabled by default.
+ <tag>--without-system-md5</tag>
+ <p>Obsolete. Disabled by default.
+
</descrip>
<tag>external_refresh_check</tag>
<p>Not yet ported from 2.7
- <tag>http_port</tag>
- <p><em>urlgroup=</em> not yet ported from 2.6
-
<tag>ignore_ims_on_miss</tag>
<p>Not yet ported from 2.7
<p>Not yet ported from 2.7
<tag>update_headers</tag>
- <p>Not yet ported from 2.7
-
- <tag>zero_buffers</tag>
- <p>Not yet ported from 2.7
+ <p>Not yet fully ported from 2.7. Memory and rock storage caches support this natively. UFS caches do not support it.
</descrip>
-
-<sect1>Missing ./configure options available in Squid-2.7
-<p>
-<descrip>
- <tag>--without-system-md5</tag>
-
-</descrip>
-
</article>
projects / thirdparty / squid.git / commitdiff
