From: Amos Jeffries Date: Thu, 2 Aug 2012 12:13:35 +0000 (-0600) Subject: 3.2.0.19 X-Git-Tag: SQUID_3_2_0_19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba3f001ccb3459f706b9df20bd57aef8b034c9b5;p=thirdparty%2Fsquid.git 3.2.0.19 --- diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 9265faca9c..b99f788166 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -9,7 +9,6 @@ and ideas to make this software available. Alexey Veselovsky Alin Nastac Alter - Amos Jeffries Amos Jeffries Andreas Lamprecht Andres Kroonmaa @@ -21,7 +20,6 @@ and ideas to make this software available. Arkin Arthur Tumanyan Assar Westerlund - Automatic source maintenance Axel Westerhold Benno Rice Bertrand Jacquin @@ -75,9 +73,7 @@ and ideas to make this software available. Graham Keeling Guido Serassio Hasso Tepper - Henrik Nordstr?m Henrik Nordstrom - Henrik Nordstrom Hide Nagaoka Ian Castle Ian Turner @@ -102,7 +98,6 @@ and ideas to make this software available. Jonathan Larmour Joshua Root Kieran Whitbread - Kinkie Klaubert Herr Klaus Singvogel Kolics Bertold @@ -153,7 +148,7 @@ and ideas to make this software available. Philip Allison Philippe Lantin Pierangelo Masarati - Pierre-Louis BRENAC + Pierre-Louis Brenac Przemek Czerkas Rafael Martinez Torres Rafal Ramocki @@ -166,7 +161,7 @@ and ideas to make this software available. Richard Huveneers Robert Collins Robert Forster - Rodrigo Campos (rodrigo@geekbunker.org) + Rodrigo Campos Ron Gomes Russell Street Russell Vincent @@ -188,11 +183,10 @@ and ideas to make this software available. Tony Lorimer Unknown - NetBSD Project Vincent Regnard - Vitaliy Matytsyn (main) + Vitaliy Matytsyn Wesha Wojtek Sylwestrzak Wolfgang Nothdurft benno@jeamland.net fancyrabbit - rousskov vollkommen diff --git a/CREDITS b/CREDITS index 30885b7078..d464150cd8 100644 --- a/CREDITS +++ b/CREDITS @@ -453,7 +453,7 @@ helpers/url_rewrite/fake/ fake.h, fake.cc, url_fake_rewrite.sh: ============================================================================== -helprs/negotiate_auth/kerberos/ * +helpers/negotiate_auth/kerberos/ * /* * ----------------------------------------------------------------------------- @@ -526,6 +526,17 @@ helpers/external_acl/kerberos_ldap_group/support_ldap.cc ============================================================================== +icons/SN.png: + + Squid NOW icon - copyright Squid Project + + This work is licensed under the + Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported Liscence + (CC BY-NC-SA 3.0) + [ http://creativecommons.org/licenses/by-nc-sa/3.0/ ] + +============================================================================== + icons/silk/: Silk icon set 1.3 @@ -592,3 +603,14 @@ shm_portable_segment_name_is_path() implementation: FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +============================================================================== + +errors/errorpage.css: + + Stylesheet for Squid Error pages + Adapted from design by Free CSS Templates + http://www.freecsstemplates.org + Released for free under a Creative Commons Attribution 2.5 License + +============================================================================== diff --git a/ChangeLog b/ChangeLog index 599bda4c53..7e89a1642a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +Changes to squid-3.2.0.19 (02 Aug 2012): + + - Regression Bug 3580: IDENT request makes squid crash + - Regression Bug 3577: File Descriptors not properly closed + - Regression Bug 3478: Allow peer selection and connection auth on intercepted traffic + - Regression Fix: Restore memory caching ability + - Bug 3556 Workaround: epoll assertion failed: comm.cc:1093: isOpen(fd) + - Bug 3551: store_rebuild.cc:116: "store_errors == 0" assertion + - Bug 3525: Do not resend nibbled PUTs and avoid "mustAutoConsume" assertion. + - Avoid bogus "Disk space over limit" warnings when rebuidling dirty ufs index + - Support custom headers in [request|reply]_header_* manglers + - ... and much code polishing + Changes to squid-3.2.0.18 (29 Jun 2012): - Bug 3576: ICY streams being Transfer-Encoding:chunked diff --git a/Makefile.am b/Makefile.am index d839afef42..62c0a00f74 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,7 +10,7 @@ endif SUBDIRS += scripts icons errors doc helpers src tools test-suite DISTCLEANFILES = include/stamp-h include/stamp-h[0-9]* -DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` +DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` dist-hook: @ for subdir in include; do \ @@ -43,7 +43,7 @@ EXTRA_DIST = \ INSTALL \ QUICKSTART \ README \ - SPONSORS \ + SPONSORS.txt \ bootstrap.sh \ po4a.conf diff --git a/SPONSORS b/SPONSORS index 1c570e925f..1608e864eb 100644 --- a/SPONSORS +++ b/SPONSORS @@ -1,90 +1,111 @@ In addition to the numerous volunteer developers (see CONTRIBUTORS), -the following organizations have provided financial or other support for -Squid: +the following organizations have provided non-financial support for +the Squid Project: -The National Science Foundation +@Squid-3.2: +iiNet Ltd - http://www.iinet.net.au/ - The NSF was the primary funding source for Squid development - from 1996-2000. Two grants (#NCR-9616602, #NCR-9521745) - received through the Advanced Networking Infrastructure - and Research (ANIR) Division were administered by the - University of California San Diego. + iiNet Ltd contributed significant development resources to + Squid during its early stages and was instrumental in its + early adoption in the local internet community. + In Squid-2.6 and 3.0 iiNet supplied equipment to help develop + and test the WCCPv2 implementation. + In Squid-3.2 iiNet sponsored development time to resolve + authentication problems. -MARA Systems AB - http://www.marasystems.com/ +LaunchPad - http://launchpad.net/ - MARA systems has sponsored the bug fixing and maintentnance for - most Squid-2.5 releases, and a number of new features to be found - in Squid-3. + Provide Bazaar mirroring services and host the Squid-3 developer + project code. -Swell Technology - http://www.swelltech.com/ +Messagenet - http://messagenet.it/ - Swell Technology provides ongoing development and testing - support to the Squid project, as well as hardware donations - for Squid developers. + Messagenet donated hardware and bandwidth for the wiki server + and most continuous integration testing. -Picture IQ - http://www.pictureiq.com/ +Palisade Systems - http://www.palisadesys.com/ - Bought simple support for the Vary header, to help their - accelerator setups. + Palisade Systems funded SSL Bump feature development in Squid3. -SGI - http://www.sgi.com/ +The Measurement Factory - http://www.measurement-factory.com/ - SGI has provided hardware donations for Squid developers. + Measurement Factory has constributed significant resources + toward Squid-3 development and server maintenance. -Zope Corporation - http://www.zope.com/ +Treehouse Networks, NZ - http://treenet.co.nz/ - Zope Corporation funded the development of the ESI protocol - (http://www.esi.org) in Squid to provide greater cachability - of dynamic and personalized pages by caching common page - components. Zope engaged one of the core Squid developers - for the project. + Treehouse Networks has contributed significant resources + toward Squid-3 development and maintenance for their customer + gateways and CDN. -craigslist - http://www.craigslist.org/ +@Squid-3.1: +Barefruit - http://www.barefruit.com/ - craigslist has provided funding in recognition of the vital - role squid plays in their web serving architecture. + Barefruit has funded Squid-3.0 and 3.1 development and maintenance, + with a focus on content adaptation (ICAP and eCAP) support. + +BBC (UK) and Siemens IT Solutions and Services (UK) + + Provided developement and testing resources for Solaris /dev/poll + support in Squid-3.1. webwasher AG - http://www.webwasher.com/ - webwasher AG paid for improvements to Squid's iCAP client - implementation. You can find the results of this work - at http://devel.squid-cache.org/icap/ + webwasher AG paid for improvements to Squid-3.1 ICAP client + implementation. -iiNet Ltd - http://www.iinet.net.au/ +SourceForge - http://www.sourceforge.net/ - iiNet Ltd contributed significant development resources to - Squid during its early stages and was instrumental in its - early adoption in the local internet community. iiNet has also - recently supplied equipment to help develop and test the WCCPv2 - implementation in Squid-2.6 and Squid-3. + Provide CVS mirroring services and hosted the Squid-2 developer + project code. +@Squid-3.0: Kaspersky Lab - http://www.kaspersky.com/ Kaspersky Lab funded initial development of ICAP support in - Squid-3. - -Barefruit - http://www.barefruit.com/ + Squid-3.0 - Barefruit has funded Squid3 development and maintenance, - with a focus on content adaptation (ICAP and eCAP) support. - -Palisade Systems - http://www.palisadesys.com/ +MARA Systems AB - http://www.marasystems.com/ - Palisade Systems funded SSL Bump feature development in Squid3. + MARA systems has sponsored the bug fixing and maintenance for + most Squid-2.5 releases, and a number of new features to be found + in Squid-3.0. -Treehouse Networks, NZ - http://treenet.co.nz/ +Zope Corporation - http://www.zope.com/ - Treehouse Networks has contributed significant development resources - toward Squid-3 development and maintenance for their customer - gateways and CDN. + Zope Corporation funded the development of the ESI protocol + (http://www.esi.org) in Squid-3.0 to provide greater cachability + of dynamic and personalized pages by caching common page + components. -BBC (UK) and Siemens IT Solutions and Services (UK) +@Squid-2.7: +Picture IQ - http://www.pictureiq.com/ - Provided developement and testing resources for Solaris /dev/poll - support. + Picture IQ bought simple support for the Vary header to Squid-2.7, + to help their accelerator setups. Yahoo! Inc. - http://www.yahoo.com/ Yahoo! Inc. supported the development of improved refresh logics. Many thanks to Yahoo! Inc. for supporting the development of these features. + +@Squid-2.6: +Swell Technology - http://www.swelltech.com/ + + Swell Technology provided development and testing support to the + Squid-2 project, as well as hardware donations for Squid developers. + +@Squid-2.4: +SGI - http://www.sgi.com/ + + SGI has provided hardware donations for Squid developers. + +@Squid-2.3: +The National Science Foundation + + The NSF was the primary funding source for Squid development + from 1996-2000. Two grants (#NCR-9616602, #NCR-9521745) + received through the Advanced Networking Infrastructure + and Research (ANIR) Division were administered by the + University of California San Diego. diff --git a/bootstrap.sh b/bootstrap.sh index e9bbf637b3..0d86a52f5f 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -148,6 +148,9 @@ do fi done +# Make a copy of SPONSORS we can package +sed -e 's/@Squid-[0-9\.]*://' SPONSORS.txt || (rm -f SPONSORS.txt && exit 1) + # Fixup autoconf recursion using --silent/--quiet option # autoconf should inherit this option whe recursing into subdirectories # but it currently doesn't for some reason. diff --git a/configure.ac b/configure.ac index 9065ed2095..be9f8cc1a0 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ dnl $Id$ dnl dnl dnl -AC_INIT([Squid Web Proxy],[3.2.0.18-BZR],[http://www.squid-cache.org/bugs/],[squid]) +AC_INIT([Squid Web Proxy],[3.2.0.19-BZR],[http://www.squid-cache.org/bugs/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml index 86b6fdda81..def62067bc 100644 --- a/doc/release-notes/release-3.1.sgml +++ b/doc/release-notes/release-3.1.sgml @@ -31,12 +31,14 @@ Although this release is deemed good enough for use in many setups, please note The lack of some features available in Squid-2.x series. See the regression sections below for full details. + eCAP library version 0.2.0 and later are not supported. See eCAP section below for details. + CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series. + Some attempts have been made to port for 3.1, but the unreliability of NAT handling in 3.1 makes this unsafe.

Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are: - CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series. Windows support is still largely missing. AIX support for building with the IBM compiler is broken. OpenSSL 1.0.0 support is incomplete. @@ -319,6 +321,9 @@ reduce the number of warnings by blocking some embedded content.

Currently known and available eCAP modules are listed in the wiki feature page on eCAP. +

Known Issue: libecap version 0.0.3 (exactly) is required to build this series + of Squid. Other versions of libecap contain significant interface differences. + ICAP Bypass and Retry enhancements diff --git a/doc/release-notes/release-3.2.html b/doc/release-notes/release-3.2.html index 70d2ab6334..3d0cbf7be0 100644 --- a/doc/release-notes/release-3.2.html +++ b/doc/release-notes/release-3.2.html @@ -2,10 +2,10 @@ - Squid 3.2.0.18 release notes + Squid 3.2.0.19 release notes -

Squid 3.2.0.18 release notes

+

Squid 3.2.0.19 release notes

Squid Developers

@@ -24,18 +24,19 @@ for Applied Network Research and members of the Web Caching community.

2. Major new features since Squid-3.1

3. Changes to squid.conf since Squid-3.1

@@ -72,7 +73,7 @@ for Applied Network Research and members of the Web Caching community.

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing.

+

The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.2/ or the mirrors.

@@ -87,13 +88,19 @@ report with a stack trace.

Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-3.2.

+

Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:

+

+

    +
  • CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details.
    • +
  • TCP logging of access.log does not recover from broken connections well.
    • +
+

+

Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:

    -
  • CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details.
  • SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.
  • Windows support is still incomplete.
    • -
  • TCP logging of access.log does not recover from broken connections well.
  • The lack of some features available in Squid-2.x series. See the regression sections below for full details.

@@ -111,7 +118,8 @@ report with a stack trace.

The most important of these new features are:

    -
  • Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
    • +
  • CVE-2009-0801 : NAT interception vulnerability to malicious clients.
    • +
  • NCSA helper DES algorithm password limits
  • SMP scalability
  • Helper Multiplexer and On-Demand
  • Helper Name Changes
    • @@ -127,7 +135,7 @@ report with a stack trace.

    Most user-facing changes are reflected in squid.conf (see below).

    -

    2.1 Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients. +

    2.1 CVE-2009-0801 : NAT interception vulnerability to malicious clients.

    Details in Advisory @@ -151,13 +159,34 @@ only to the original destination IP the client was requesting. This means interc can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.

    Known Issue: When non-strict validation fails Squid will relay the request, but can only do -so to the orginal destination IP the client was contacting. This means that interception -proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy. +so safely to the orginal destination IP the client was contacting. The client original +destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers +are at risk of cache poisoning from CVE-2009-0801 vulnerability. Developer time is required to implement safe transit of these requests. Please contact squid-dev if you are able to assist or sponsor the development.

    -

    2.2 SMP scalability +

    2.2 NCSA helper DES algorithm password limits +

    + +

    Details in Advisory +SQUID-2011:2

    + +

    The DES algorithm used by the NCSA Basic authentication helper has an +limit of 8 bytes but some implementations do not error when truncating +longer passwords down to this unsafe level.

    + +

    This both significantly lowers the threshold of difficulty decrypting +captured password files and hides from users the fact that the extra bits +of their chosen long password is not being utilized.

    + +

    The NCSA helper bundled with Squid will prevent passwords longer than 8 +characters being sent to the DES algorithm. The MD5 hash algorithm which +supports longer than 8 character passwords is also supported by this helper +and should be used instead.

    + + +

    2.3 SMP scalability

    The new "workers" squid.conf option can be used to launch multiple worker @@ -201,7 +230,7 @@ worker customization in SMP mode. For details, search for "Conditional configuration" and "SMP-Related Macros" sections in squid.conf.documented.

    -

    2.3 Helper Multiplexer +

    2.4 Helper Multiplexer

    The helper multiplexer's purpose is to relieve some of the burden @@ -249,7 +278,7 @@ the reduction in direct helper spawned by Squid can result in a great reduction

    -

    2.4 Helpers On-Demand +

    2.5 Helpers On-Demand

    Traditionally Squid has been configured with a fixed number of helpers and started them during @@ -285,7 +314,7 @@ When client requests threaten to overload the running helpers an additional 2 wi of starting the maximum number of helpers will occur.

    -

    2.5 Helper Name Changes +

    2.6 Helper Name Changes

    To improve the understanding of what each helper does and where it should be used the helper binaries @@ -368,7 +397,7 @@ This helper has also gone through a version update and now uses more current Ber

    -

    2.6 Multi-Lingual manuals +

    2.7 Multi-Lingual manuals

    The man(8) and man(1) pages bundled with Squid are now provided online for all @@ -381,7 +410,7 @@ versions and beginning with 3.2 they are available in languages other than Engli This move begins the Localization of the internal administrator facing manuals.

    -

    2.7 Solaris 10 pthreads Support (Experimental) +

    2.8 Solaris 10 pthreads Support (Experimental)

    Automatic detection and use of the pthreads library available from Solaris 10

    @@ -393,7 +422,7 @@ are now available in Solaris 10.

    We recommend giving AUFS a try for faster disk storage and encourage feedback.

    -

    2.8 Surrogate/1.0 protocol extensions to HTTP +

    2.9 Surrogate/1.0 protocol extensions to HTTP

    The Surrogate extensions to HTTP protocol enable an origin web server to specify separate @@ -418,7 +447,7 @@ and for some uses desirable to receive external reverse-proxies Surrogate-Ca is required to prevent an unacceptable surrogate ID of 'localhost' being generated.

    -

    2.9 Logging Infrastructure Updated +

    2.10 Logging Infrastructure Updated

    The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2.

    @@ -449,7 +478,7 @@ They also now log all client requests, if there was no Referer or User-Agent hea At present it will restart the affected Squid instance if the TCP connection is broken.

    -

    2.10 Client Bandwidth Limits +

    2.11 Client Bandwidth Limits

    In mobile environments, Squid may need to limit Squid-to-client bandwidth @@ -481,7 +510,7 @@ response data from Squid. This delay may need to be lowered in high-bandwidth environments.

    -

    2.11 Better eCAP Suport +

    2.12 Better eCAP Suport

    Support for libecap version 0.2.0 has been added with this series of Squid. Bringing @@ -491,7 +520,7 @@ better support for body handling, and logging.

    against any older libecap releases.

    -

    2.12 Cache Manager access changes +

    2.13 Cache Manager access changes

    The Squid Cache Manager has previously only been accessible under the cache_object:// @@ -796,6 +825,18 @@ This will be included by default if available (see the --without-netfilter-connt

    New option max-stale= to provide a maximum staleness factor. Squid won't serve objects more stale than this even if it failed to validate the object.

    +
    reply_header_access
    +

    Added support for custom response header names.

    + +
    request_header_access
    +

    Added support for custom request header names.

    + +
    reply_header_replace
    +

    Added support for custom response header names.

    + +
    request_header_replace
    +

    Added support for custom request header names.

    +
    tcp_outgoing_address

    This parameter is now compatible with persistent server connections. The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.

    diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 7ef1298f5d..16ce93bfa4 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -1,6 +1,6 @@
    -Squid 3.2.0.18 release notes +Squid 3.2.0.19 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

    -The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing. This new release is available for download from or the . @@ -26,13 +26,18 @@ report with a stack trace.

    Although this release is deemed good enough for use in many setups, please note the existence of . +

    Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are: + + + CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details. + TCP logging of access.log does not recover from broken connections well. + +

    Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are: - CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details. SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details. Windows support is still incomplete. - TCP logging of access.log does not recover from broken connections well. The lack of some features available in Squid-2.x series. See the regression sections below for full details. @@ -46,7 +51,7 @@ The 3.2 change history can be Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients. +CVE-2009-0801 : NAT interception vulnerability to malicious clients.

    Details in Advisory

    Squid locates the authority-URL details available in an HTTP request as @@ -83,14 +88,15 @@ Most user-facing changes are reflected in squid.conf (see below). can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.

    Known Issue: When non-strict validation fails Squid will relay the request, but can only do - so to the orginal destination IP the client was contacting. This means that interception - proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy. + so safely to the orginal destination IP the client was contacting. The client original + destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers + are at risk of cache poisoning from CVE-2009-0801 vulnerability. Developer time is required to implement safe transit of these requests. Please contact squid-dev if you are able to assist or sponsor the development. NCSA helper DES algorithm password limits -

    Details in Advisory +

    Details in Advisory

    The DES algorithm used by the NCSA Basic authentication helper has an limit of 8 bytes but some implementations do not error when truncating @@ -680,6 +686,18 @@ This section gives a thorough account of those changes in three categories:

    New option max-stale= to provide a maximum staleness factor. Squid won't serve objects more stale than this even if it failed to validate the object. + reply_header_access +

    Added support for custom response header names.

    + + request_header_access +

    Added support for custom request header names.

    + + reply_header_replace +

    Added support for custom response header names.

    + + request_header_replace +

    Added support for custom request header names.

    + tcp_outgoing_address

    This parameter is now compatible with persistent server connections. The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.