From: Amos Jeffries Date: Fri, 29 Jun 2012 00:57:50 +0000 (-0600) Subject: Prep for 3.2.0.18 X-Git-Tag: sourceformat-review-1~205 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f787354b0d72c059eedc6e4e4d6f0377137677fe;p=thirdparty%2Fsquid.git Prep for 3.2.0.18 --- diff --git a/ChangeLog b/ChangeLog index b99d9930f8..50e2c26007 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,26 @@ +Changes to squid-3.2.0.18 (29 Jun 2011): + + - Bug 3576: ICY streams being Transfer-Encoding:chunked + - Bug 3537: statistics histogram leaks memory + - Bug 3526: digest authentication crash + - Bug 3484: Docs: sslproxy_cert_error example flawed + - Bug 3462: Delay Pools and ICAP + - Bug 3405: ssl_crtd crashes failing to remove certificate + - Bug 3380: Mac OSX compile errors with CMSG_SPACE + - Bug 3258: Requests hang when Host forgery verify fails + - Bug 3186: Digest auth caches failed state without revalidating + - Bug 2976: ERR_INVALID_URL for transparently captured requests when reconfiguring + - Bug 2885: AIX: check and set required compiler flags + - Fix ssl_crtd compile issues with libsslutil + - Fix build with GCC 4.7 (and probably other C++11 compilers). + - Fix double-escape of %R on deny_info redirect responses + - Support status 308 Permanent Redirect + - Support for TLSv1.1 and TLSv1.2 options and methods + - Support passing external_acl_type credentials on ICAP + - Language Updates: fr, hy, pt_BR + - ... and many compile issues on Windows + - ... and some minor code polish + Changes to squid-3.2.0.17 (12 Apr 2011): - Bug 3527: EUI compile errors on Mac OS X 10.5.8 PPC @@ -520,7 +543,7 @@ Changes to squid-3.1.12 (04 Apr 2011): - Bug 3164: Total memory info display 32-bit overflows - Bug 3155: Werror is hard-coded in libTrie build - Bug 3151: squid_kerb_auth: use autoconf LIBS instead of FLAGS for library linkage - - Bug 2976: invalid URL on intercepted requests during reconfigure + - Bug 2976: invalid URL on intercepted requests during reconfigure (workaround) - Bug 2720: comment in same line as cache/mem_replacement_policy causes error - Bug 2621: Provide request headers to RESPMOD when using cache_peer. - Bug 2330: AuthUser objects are never unlocked diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 7c9e1c12fa..7897e5fefe 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -1,6 +1,6 @@
-Squid 3.2.0.17 release notes +Squid 3.2.0.18 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.2.0.17 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing. This new release is available for download from or the . @@ -26,6 +26,17 @@ report with a stack trace.

Although this release is deemed good enough for use in many setups, please note the existence of . +

Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are: + + + CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details. + SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details. + Windows support is still incomplete. + TCP logging of access.log does not recover from broken connections well. + The lack of some features available in Squid-2.x series. See the regression sections below for full details. + + + Changes since earlier releases of Squid-3.2

The 3.2 change history can be . @@ -40,7 +51,7 @@ The 3.2 change history can be host_verify_strict + directive. Squid will respond with 409 Conflict error response when strict validation + fails and handles the request normally when strict validation succeeds or is OFF (default). + +

Relaying of messages which FAIL non-strct Host: validation are permitted through Squid but + only to the original destination IP the client was requesting. This means interception proxies + can not be used as feeder gateways into a cluster or peer hierarchy without strict validation. + +

Known Issue: When non-strict validation fails Squid will relay the request, but can only do + so to the orginal destination IP the client was contacting. This means that interception + proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy. + Developer time is required to implement safe transit of these requests. + Please contact squid-dev if you are able to assist or sponsor the development. SMP scalability @@ -309,6 +332,9 @@ Most user-facing changes are reflected in squid.conf (see below). These logs are now created using an access_log line with the format "referrer" or "useragent". They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged. +

Known Issue: The TCP logging module does not recover from broken connections well. + At present it will restart the affected Squid instance if the TCP connection is broken. + Client Bandwidth Limits

In mobile environments, Squid may need to limit Squid-to-client bandwidth @@ -344,6 +370,9 @@ Most user-facing changes are reflected in squid.conf (see below).

Support for libecap version 0.2.0 has been added with this series of Squid. Bringing better support for body handling, and logging. +

Known Issue: Due to API changes in libecap this release of Squid will not build + against any older libecap releases. + Cache Manager access changes

The Squid Cache Manager has previously only been accessible under the cache_object:// @@ -452,6 +481,14 @@ This section gives a thorough account of those changes in three categories: eui_lookup

Whether to lookup the EUI or MAC address of a connected client. + host_verify_strict +

New option to enable super-strict HTTP and DNS information match. + Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a + three-legged security verification. Preventing domain hijacking or malicious poisoning + attacks by malicious scripts. +

The default is to verify only intercepted traffic, to log all issues and let failed + traffic through when doing so can be done safely. + icap_206_enable

New option to toggle whether the ICAP 206 (Partial Content) responses extension. Default is on. @@ -539,6 +576,7 @@ This section gives a thorough account of those changes in three categories: idle=N determines how many helper to retain as buffer against sudden traffic loads. concurrency=N previously called auth_param ... concurrency as a separate option.

Removed Basic, Digest, NTLM, Negotiate auth_param ... concurrency setting option. +

Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored. cache_dir

min-size option ported from Squid-2