From: Amos Jeffries Date: Thu, 2 Aug 2012 11:55:39 +0000 (-0600) Subject: Prep for 3.2.0.19 X-Git-Tag: sourceformat-review-1~140 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9eec4aa9b69bbf81f1d7f2b8f42991500833310;p=thirdparty%2Fsquid.git Prep for 3.2.0.19 --- diff --git a/ChangeLog b/ChangeLog index 599bda4c53..7e89a1642a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +Changes to squid-3.2.0.19 (02 Aug 2012): + + - Regression Bug 3580: IDENT request makes squid crash + - Regression Bug 3577: File Descriptors not properly closed + - Regression Bug 3478: Allow peer selection and connection auth on intercepted traffic + - Regression Fix: Restore memory caching ability + - Bug 3556 Workaround: epoll assertion failed: comm.cc:1093: isOpen(fd) + - Bug 3551: store_rebuild.cc:116: "store_errors == 0" assertion + - Bug 3525: Do not resend nibbled PUTs and avoid "mustAutoConsume" assertion. + - Avoid bogus "Disk space over limit" warnings when rebuidling dirty ufs index + - Support custom headers in [request|reply]_header_* manglers + - ... and much code polishing + Changes to squid-3.2.0.18 (29 Jun 2012): - Bug 3576: ICY streams being Transfer-Encoding:chunked diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 75aff34f3f..4fd4bd804c 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -1,6 +1,6 @@
-Squid 3.2.0.18 release notes +Squid 3.2.0.19 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing. This new release is available for download from or the . @@ -26,13 +26,18 @@ report with a stack trace.

Although this release is deemed good enough for use in many setups, please note the existence of . +

Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are: + + + CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details. + TCP logging of access.log does not recover from broken connections well. + +

Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are: - CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details. SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details. Windows support is still incomplete. - TCP logging of access.log does not recover from broken connections well. The lack of some features available in Squid-2.x series. See the regression sections below for full details. @@ -46,7 +51,7 @@ The 3.2 change history can be Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients. +CVE-2009-0801 : NAT interception vulnerability to malicious clients.

Details in Advisory

Squid locates the authority-URL details available in an HTTP request as @@ -82,8 +87,9 @@ Most user-facing changes are reflected in squid.conf (see below). can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.

Known Issue: When non-strict validation fails Squid will relay the request, but can only do - so to the orginal destination IP the client was contacting. This means that interception - proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy. + so safely to the orginal destination IP the client was contacting. The client original + destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers + are at risk of cache poisoning from CVE-2009-0801 vulnerability. Developer time is required to implement safe transit of these requests. Please contact squid-dev if you are able to assist or sponsor the development.