+Changes to squid-3.2.0.18 (29 Jun 2011):
+
+ - Bug 3576: ICY streams being Transfer-Encoding:chunked
+ - Bug 3537: statistics histogram leaks memory
+ - Bug 3526: digest authentication crash
+ - Bug 3484: Docs: sslproxy_cert_error example flawed
+ - Bug 3462: Delay Pools and ICAP
+ - Bug 3405: ssl_crtd crashes failing to remove certificate
+ - Bug 3380: Mac OSX compile errors with CMSG_SPACE
+ - Bug 3258: Requests hang when Host forgery verify fails
+ - Bug 3186: Digest auth caches failed state without revalidating
+ - Bug 2976: ERR_INVALID_URL for transparently captured requests when reconfiguring
+ - Bug 2885: AIX: check and set required compiler flags
+ - Fix ssl_crtd compile issues with libsslutil
+ - Fix build with GCC 4.7 (and probably other C++11 compilers).
+ - Fix double-escape of %R on deny_info redirect responses
+ - Support status 308 Permanent Redirect
+ - Support for TLSv1.1 and TLSv1.2 options and methods
+ - Support passing external_acl_type credentials on ICAP
+ - Language Updates: fr, hy, pt_BR
+ - ... and many compile issues on Windows
+ - ... and some minor code polish
+
Changes to squid-3.2.0.17 (12 Apr 2011):
- Bug 3527: EUI compile errors on Mac OS X 10.5.8 PPC
- Bug 3164: Total memory info display 32-bit overflows
- Bug 3155: Werror is hard-coded in libTrie build
- Bug 3151: squid_kerb_auth: use autoconf LIBS instead of FLAGS for library linkage
- - Bug 2976: invalid URL on intercepted requests during reconfigure
+ - Bug 2976: invalid URL on intercepted requests during reconfigure (workaround)
- Bug 2720: comment in same line as cache/mem_replacement_policy causes error
- Bug 2621: Provide request headers to RESPMOD when using cache_peer.
- Bug 2330: AuthUser objects are never unlocked
<!doctype linuxdoc system>
<article>
-<title>Squid 3.2.0.17 release notes</title>
+<title>Squid 3.2.0.18 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.2.0.17 for testing.
+The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<p>
Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.2&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.2">.
+<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
+
+<itemize>
+ <item>CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details.
+ <item>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.
+ <item>Windows support is still incomplete.
+ <item>TCP logging of access.log does not recover from broken connections well.
+ <item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
+</itemize>
+
+
<sect1>Changes since earlier releases of Squid-3.2
<p>
The 3.2 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.2/changesets/" name="viewed here">.
<item>Helper Multiplexer and On-Demand
<item>Helper Name Changes
<item>Multi-Lingual manuals
- <item>Solaris 10 pthreads Support (Experimental)
+ <item>Solaris 10 pthreads Support
<item>Surrogate/1.0 protocol extensions to HTTP
<item>Logging Infrastructure Updated
<item>Client Bandwidth Limits
DNS entries.
<p>When the Host: authority contradicts another authority source Squid will log
- "SECURITY ALERT: Host: header forgery detected" and respond with a 409 Conflict
- error status page.
+ "SECURITY ALERT: Host: header forgery detected". The response will then be determined
+ by the <a href="http://www.squid-cache.org/Doc/config/host_verify_strict/">host_verify_strict</a>
+ directive. Squid will respond with 409 Conflict error response when strict validation
+ fails and handles the request normally when strict validation succeeds or is OFF (default).
+
+<p>Relaying of messages which FAIL non-strct Host: validation are permitted through Squid but
+ only to the original destination IP the client was requesting. This means interception proxies
+ can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.
+
+<p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
+ so to the orginal destination IP the client was contacting. This means that interception
+ proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy.
+ Developer time is required to implement safe transit of these requests.
+ Please contact squid-dev if you are able to assist or sponsor the development.
<sect1>SMP scalability
These logs are now created using an access_log line with the format "referrer" or "useragent".
They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged.
+<p>Known Issue: The TCP logging module does not recover from broken connections well.
+ At present it will restart the affected Squid instance if the TCP connection is broken.
+
<sect1> Client Bandwidth Limits
<p>In mobile environments, Squid may need to limit Squid-to-client bandwidth
<p>Support for libecap version 0.2.0 has been added with this series of Squid. Bringing
better support for body handling, and logging.
+<p>Known Issue: Due to API changes in libecap this release of Squid will not build
+ against any older libecap releases.
+
<sect1>Cache Manager access changes
<p>The Squid Cache Manager has previously only been accessible under the cache_object://
<tag>eui_lookup</tag>
<p>Whether to lookup the EUI or MAC address of a connected client.
+ <tag>host_verify_strict</tag>
+ <p>New option to enable super-strict HTTP and DNS information match.
+ Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a
+ three-legged security verification. Preventing domain hijacking or malicious poisoning
+ attacks by malicious scripts.
+ <p>The default is to verify only intercepted traffic, to log all issues and let failed
+ traffic through when doing so can be done safely.
+
<tag>icap_206_enable</tag>
<p>New option to toggle whether the ICAP 206 (Partial Content) responses extension.
Default is on.
<em>idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
<em>concurrency=N</em> previously called <em>auth_param ... concurrency</em> as a separate option.
<p>Removed Basic, Digest, NTLM, Negotiate <em>auth_param ... concurrency</em> setting option.
+ <p>Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored.
<tag>cache_dir</tag>
<p><em>min-size</em> option ported from Squid-2
projects / thirdparty / squid.git / commitdiff
