From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 18 Apr 2011 12:27:45 +0000 (-0600)
Subject: Prep for 3.1.12.1 and 3.2.0.7
X-Git-Tag: take06~6^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=065f77794860e81dcfcd228272a84b86bcdab290;p=thirdparty%2Fsquid.git

Prep for 3.1.12.1 and 3.2.0.7
---

diff --git a/ChangeLog b/ChangeLog
index befcaf05c2..2541e4f27d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+Changes to squid-3.2.0.7 (19 Apr 2011):
+
+	- Regression fix: NTLM and Negotiate auth assertion "RefCountCount() == 2"
+	- Regression fix: icons/ FHS compliance
+	- Regression fix: Startup aborts with URL error when --disable-htcp
+	- Bug 3192: comm.cc:216: "fd_table[fd].halfClosedReader != NULL"
+	- Add negotiate_wrapper_auth version 1.0.1
+	- Fixed %dt logging in the presence of REQMOD
+	- Fixed chunked request forwarding in ICAP REQMOD presence
+	- ... all bug fixes and updates from 3.1.12.1
+	- ... many code polishings and display cleanups
+
 Changes to squid-3.2.0.6 (04 Apr 2011):
 
 	- Regression fix: upgrade existing icons
@@ -152,6 +164,16 @@ Changes to squid-3.2.0.1 (03 Aug 2010):
 	- ... and a great many testing improvements
 	- ... and many documentation updates
 
+Changes to squid-3.1.12.1 (19 Apr 2011):
+
+	- Port from 3.2: Dynamic SSL Certificate generation
+	- Bug 3194: selinux may prevent ntlm_smb_lm_auth from using /tmp
+	- Bug 3185: 3.1.11 fails to compile on OpenBSD 4.8 and 4.9
+	- Bug 3183: Invalid URL accepted with url host part of only '@'
+	- Display ERROR in cache.log for invalid configured paths
+	- Cache Manager: send User-Agent header from cachemgr.cgi
+	- ... and many portability compile fixes for non-GCC systems.
+
 Changes to squid-3.1.12 (04 Apr 2011):
 
 	- Regression fix: Use bigger buffer for server reads.
diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index dbbed829e9..b366332b56 100644
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -1,6 +1,6 @@
 <!doctype linuxdoc system>
 <article>
-<title>Squid 3.1.12 release notes</title>
+<title>Squid 3.1.12.1 release notes</title>
 <author>Squid Developers</author>
 
 <abstract>
@@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community.
 
 <sect>Notice
 <p>
-The Squid Team are pleased to announce the release of Squid-3.1.12
+The Squid Team are pleased to announce the release of Squid-3.1.12.1
 
 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.1/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
 
@@ -62,6 +62,7 @@ The most important of these new features are:
 	<item>eCAP Adaptation Module support
 	<item>ICAP Bypass and Retry enhancements
 	<item>ICY streaming protocol support
+	<item>Dynamioc SSL Certificate Generatio (3.1.12.1 and later)
 </itemize>
 
 Most user-facing changes are reflected in squid.conf (see below).
@@ -287,6 +288,25 @@ Microsoft NTLM Authentication instead of HTTP standard authentication through a
   configuration. Use of interception for port 443 is not officially supported, despite
   being known to work under certain limited networking circumstances.
 
+<sect1> Dynamic SSL Certificate Generation
+<p> SslBump users know how many certificate warnings a single complex site
+(using dedicated image, style, and/or advertisement servers for embedded content)
+can generate. The warnings are legitimate and are caused by Squid-provided site
+certificate. Two things may be wrong with that certificate:
+<itemize>
+   <item> Squid certificate is not signed by a trusted authority.
+   <item> Squid certificate name does not match the site domain name.
+</itemize>
+Squid can do nothing about (A), but in most targeted environments, users will
+trust the "man in the middle" authority and install the corresponding root
+certificate.
+  
+<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating  
+site certificates that match the requested site domain name. Please note that
+the browser site name check does not really add much security in an SslBump
+environment where the user already trusts the "man in the middle". The check
+only adds warnings and creates page rendering problems in browsers that try to
+reduce the number of warnings by blocking some embedded content.
 
 <sect1>eCAP Adaptation Module support
 
@@ -894,6 +914,12 @@ NOCOMMENT_START
 # ssl_bump allow all
 	</verb>
 
+	<tag>sslcrtd_program</tag>
+	<p>Specify the location and options of the executable for ssl_crtd process.
+
+	<tag>sslcrtd_children</tag>
+	<p> Configures the number of sslcrtd processes to spawn
+
 	<tag>sslproxy_cert_error</tag>
 	<p>New Access Control to selectively bypass server certificate validation errors.
 	   DEFAULT: None bypassed.
@@ -1379,6 +1405,10 @@ This section gives an account of those changes in three categories:
 	   original or indirect client when a request has been forwarded through other
 	   proxies.
 
+	<tag>--enable-ssl-crtd</tag>
+	<p>Prevent Squid from direct generation of SSL private key and
+	certificate request and instead enables the <em>ssl_crtd,/em> processes.
+
 	<tag>--enable-zph-qos</tag>
 	<p>Build with support for ZPH Quality of Service controls
 
diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml
index a7f07f2893..573727438d 100644
--- a/doc/release-notes/release-3.2.sgml
+++ b/doc/release-notes/release-3.2.sgml
@@ -1,6 +1,6 @@
 <!doctype linuxdoc system>
 <article>
-<title>Squid 3.2.0.6 release notes</title>
+<title>Squid 3.2.0.7 release notes</title>
 <author>Squid Developers</author>
 
 <abstract>
@@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community.
 
 <sect>Notice
 <p>
-The Squid Team are pleased to announce the release of Squid-3.2.0.6 for testing.
+The Squid Team are pleased to announce the release of Squid-3.2.0.7 for testing.
 
 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
 
@@ -42,7 +42,6 @@ The 3.2 change history can be <url url="http://www.squid-cache.org/Versions/v3/3
 	<item>Surrogate/1.0 protocol extensions to HTTP
 	<item>Logging Infrastructure Updated
 	<item>Client Bandwidth Limits
-	<item>Dynamic SSL Certificate Generation
 	<item>Better eCAP support
 </itemize>
 
@@ -208,6 +207,7 @@ Most user-facing changes are reflected in squid.conf (see below).
 <p><itemize>
 	<item>squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers.
 	<item>mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
+	<item>negotiate_wrapper - negotiate_wrapper_auth - Split Negotiate traffic between Kerberos and NTLM helpers.
 </itemize>
 
 <sect2>NTLM Authentication protocol helpers
@@ -321,26 +321,6 @@ Most user-facing changes are reflected in squid.conf (see below).
    response data from Squid.  This delay may need to be lowered in 
    high-bandwidth environments.
 
-<sect1> Dynamic SSL Certificate Generation
-<p> SslBump users know how many certificate warnings a single complex site 
-(using dedicated image, style, and/or advertisement servers for embedded content)
-can generate. The warnings are legitimate and are caused by Squid-provided site
-certificate. Two things may be wrong with that certificate:
-<itemize>
-   <item> Squid certificate is not signed by a trusted authority.
-   <item> Squid certificate name does not match the site domain name. 
-</itemize>
-Squid can do nothing about (A), but in most targeted environments, users will 
-trust the "man in the middle" authority and install the corresponding root
-certificate.
-
-<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating
-site certificates that match the requested site domain name. Please note that
-the browser site name check does not really add much security in an SslBump
-environment where the user already trusts the "man in the middle". The check
-only adds warnings and creates page rendering problems in browsers that try to
-reduce the number of warnings by blocking some embedded content. 
-
 <sect>Changes to squid.conf since Squid-3.1
 <p>
 There have been changes to Squid's configuration file since Squid-3.1.
@@ -447,12 +427,6 @@ This section gives a thorough account of those changes in three categories:
 
 	<tag>write_timeout</tag>
 	<p>New setting to limit time spent waiting for data writes to be confirmed.
-
-        <tag>sslcrtd_program</tag>
-        <p>Specify the location and options of the executable for ssl_crtd process.
-
-        <tag>sslcrtd_children</tag>
-        <p> Configures the number of sslcrtd processes to spawn
 </descrip>
 
 <sect1>Changes to existing tags<label id="modifiedtags">
@@ -665,10 +639,6 @@ This section gives an account of those changes in three categories:
 	<tag>--without-netfiler-conntrack</tag>
 	<p>Disables the libnetfilter_conntrack library being used for the new qos_flows option <em>mark</em>.
 	   default is to auto-detect the library and use where available.
-
-        <tag>--enable-ssl-crtd</tag>
-        <p>  Prevent Squid from directly generation of SSL private key and 
-        certificate request and instead enables the ssl_crtd processes.
 </descrip>
 
 <sect1>Changes to existing options<label id="modifiedoptions">