From: Amos Jeffries Date: Tue, 14 Aug 2012 23:41:47 +0000 (-0600) Subject: Prep for 3.2.1 X-Git-Tag: SQUID_3_2_1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa013f30efee45ae44f88a30780c93705ce5e219;p=thirdparty%2Fsquid.git Prep for 3.2.1 --- diff --git a/ChangeLog b/ChangeLog index 7e89a1642a..62aa30cd87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Changes to squid-3.2.1 (15 Aug 2012): + + - Bug 3605: memory leak in peer selection + - Bug 3478: better default handling without -DSTRICT_ORIGINAL_DST + - ... and some documentation updates + Changes to squid-3.2.0.19 (02 Aug 2012): - Regression Bug 3580: IDENT request makes squid crash diff --git a/Makefile.am b/Makefile.am index 62c0a00f74..ca99109284 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,7 +43,7 @@ EXTRA_DIST = \ INSTALL \ QUICKSTART \ README \ - SPONSORS.txt \ + SPONSORS \ bootstrap.sh \ po4a.conf diff --git a/SPONSORS b/SPONSORS.list similarity index 100% rename from SPONSORS rename to SPONSORS.list diff --git a/bootstrap.sh b/bootstrap.sh index 0d86a52f5f..0103385665 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -149,7 +149,7 @@ do done # Make a copy of SPONSORS we can package -sed -e 's/@Squid-[0-9\.]*://' SPONSORS.txt || (rm -f SPONSORS.txt && exit 1) +sed -e 's/@Squid-[0-9\.]*://' SPONSORS || (rm -f SPONSORS && exit 1) # Fixup autoconf recursion using --silent/--quiet option # autoconf should inherit this option whe recursing into subdirectories diff --git a/configure.ac b/configure.ac index be9f8cc1a0..2af17fabbf 100644 --- a/configure.ac +++ b/configure.ac @@ -3337,17 +3337,17 @@ SQUID_DEFINE_BOOL(LINUX_NETFILTER,$enable_linux_netfilter, dnl Netfilter TPROXY depends on libcap but the NAT parts can still work. AC_MSG_NOTICE([Support for Netfilter-based interception proxy requested: $enable_linux_netfilter]) if test "x$enable_linux_netfilter" = "xyes" -a "x$with_libcap" != "xyes" ; then - AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY]) - AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled]) - AC_MSG_WARN([Reduced support to Interception Proxy]) + AC_MSG_WARN([Missing needed capabilities (libcap 2.09+) for TPROXY]) + AC_MSG_WARN([Linux Transparent Proxy (version 4+) support WILL NOT be enabled]) + AC_MSG_WARN([Reduced support to NAT Interception Proxy]) # AC_DEFINEd later fi if test "x$squid_opt_netfilterconntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then - AC_MSG_ERROR([Linux netfilter conntrack requires libcap support (libcap or libcap2)]) + AC_MSG_ERROR([Linux netfilter conntrack requires libcap support (libcap 2.09+)]) fi if test "x$with_netfilter_conntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then - AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for netfilter mark support]) + AC_MSG_WARN([Missing needed capabilities (libcap 2.09+) for netfilter mark support]) AC_MSG_WARN([Linux netfilter marking support WILL NOT be enabled]) with_netfilter_conntrack=no fi diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 16ce93bfa4..90e9e8d61e 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -1,6 +1,6 @@
-Squid 3.2.0.19 release notes +Squid 3.2.1 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.2.0.19 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.1 for testing. This new release is available for download from or the . @@ -29,8 +29,9 @@ Although this release is deemed good enough for use in many setups, please note

Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are: - CVE-2009-0801 : interception proxies cannot relay certain requests to peers safely. see the CVE section below for details. TCP logging of access.log does not recover from broken connections well. + SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers. + Cache Manager reports in txt/plain format even when requested directly via browser.

Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are: @@ -83,14 +84,14 @@ Most user-facing changes are reflected in squid.conf (see below). directive. Squid will respond with 409 Conflict error response when strict validation fails and handles the request normally when strict validation succeeds or is OFF (default). -

Relaying of messages which FAIL non-strct Host: validation are permitted through Squid but - only to the original destination IP the client was requesting. This means interception proxies - can not be used as feeder gateways into a cluster or peer hierarchy without strict validation. +

Relaying of messages which FAIL non-strict Host: validation are permitted through Squid but + only to the original destination IP the client was requesting or to explicit peers. This means + DNS lookups to locate alternative DIRECT destinations will not be done.

Known Issue: When non-strict validation fails Squid will relay the request, but can only do so safely to the orginal destination IP the client was contacting. The client original - destinatio IP is lost when relayign to peers in a hierarchy. This means the upstream peers - are at risk of cache poisoning from CVE-2009-0801 vulnerability. + destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers + are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability. Developer time is required to implement safe transit of these requests. Please contact squid-dev if you are able to assist or sponsor the development. @@ -942,9 +943,18 @@ This section gives an account of those changes in three categories: Removed squid.conf options since Squid-2.6

+ acl +

urlgroup type removed. Use myportname type instead. + cache_dir

read-only option replaced by no-store. + http_port +

urlgroup= removed. Use name= feature instead. + + zero_buffers +

Replaced by native support. + Removed ./configure options since Squid-2.7 @@ -998,6 +1008,9 @@ This section gives an account of those changes in three categories: --disable-kqueue

Obsolete. Disabled by default. + --without-system-md5 +

Obsolete. Disabled by default. + @@ -1047,9 +1060,6 @@ This section gives an account of those changes in three categories: external_refresh_check

Not yet ported from 2.7 - http_port -

urlgroup= not yet ported from 2.6 - ignore_ims_on_miss

Not yet ported from 2.7 @@ -1086,18 +1096,7 @@ This section gives an account of those changes in three categories:

Not yet ported from 2.7 update_headers -

Not yet ported from 2.7 - - zero_buffers -

Not yet ported from 2.7 +

Not yet fully ported from 2.7. Memory and rock storage caches support this natively. UFS caches do not support it. - -Missing ./configure options available in Squid-2.7 -

- - --without-system-md5 - - -

diff --git a/mkrelease.sh b/mkrelease.sh index 9ddb8ee297..210265b806 100755 --- a/mkrelease.sh +++ b/mkrelease.sh @@ -81,6 +81,7 @@ inst $tmpdir/CONTRIBUTORS $dst/CONTRIBUTORS.txt inst $tmpdir/COPYING $dst/COPYING.txt inst $tmpdir/COPYRIGHT $dst/COPYRIGHT.txt inst $tmpdir/CREDITS $dst/CREDITS.txt +inst $tmpdir/SPONSORS $dst/SPONSORS.txt inst $tmpdir/ChangeLog $dst/ChangeLog.txt if [ -f $tmpdir/doc/release-notes/release-$RELEASE.html ]; then cat $tmpdir/doc/release-notes/release-$RELEASE.html | sed -e ' diff --git a/src/cf.data.pre b/src/cf.data.pre index a48f28fedf..697233ef41 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -142,6 +142,11 @@ DOC_START Remove this line. All valid methods for HTTP are accepted by default. DOC_END +# 2.7 Options Removed/Replaced in 3.2 +NAME: zero_buffers +TYPE: obsolete +DOC_NONE + # 2.7 Options Removed/Replaced in 3.1 NAME: incoming_rate TYPE: obsolete