From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Tue, 14 Jan 2020 03:56:20 +0000 (+0000)
Subject: Prep for v4.10 and v5.0.1 (#538)
X-Git-Tag: 4.15-20210522-snapshot~175
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=755eac9438614e4acadae7d7d6dc727ecdc40865;p=thirdparty%2Fsquid.git

Prep for v4.10 and v5.0.1 (#538)
---

diff --git a/ChangeLog b/ChangeLog
index c6271c85fb..2bff5d7e51 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,64 @@
+Changes in squid-5.0.1 (14 Jan 2020):
+
+	- Bug 4989: Leaking StoreEntry objects on Cache Digest rebuilds
+	- Bug 4912: same-name notes being appended instead of replaced
+	- Bug 4864: !Comm::MonitorsRead assertion in maybeReadVirginBody()
+	- Bug 4579: cannot hit an entry being written by another worker
+	- ICAP: Initial support for trailers
+	- Add auth_schemes to control schemes presence and order in 401s/407s
+	- Make CONNECT ACL a built-in default
+	- Remove USE_CHUNKEDMEMPOOLS compiler flag
+	- Two new ACLs implemented: annotate_transaction and annotate_client
+	- Add response delay pools feature for Squid-to-client speed limiting
+	- QA: allow test-suite to be run without a full build
+	- Happy Eyeballs: Use each fully resolved forwarding destination ASAP
+	- Support selective CF: collapsed_forwarding_access
+	- Reworked packet/connection marking
+	- Add new deny_info %A macro
+	- Identify collapsed transactions
+	- Add sample Kerberos group authentication external_acl helper
+	- Optimization: Fewer memory (re)allocations for HTTP headers
+	- Add TrivialDB support
+	- Do not send Content-Length in 1xx or 204 responses
+	- negotiate_kerberos_auth: fix memory leaks
+	- ntlm_fake_auth: add ability to test delayed responses
+	- Add %ssl::<cert macro for logging server X.509 certificate
+	- Reuse reserved Negotiate and NTLM helpers after an idle timeout
+	- Log PROXY protocol v2 TLVs
+	- Support logformat %codes in error page templates
+	- Fix incremental parsing of chunked quoted extensions
+	- Peering support for SslBump
+	- RFC 8586: Loop Detection in Content Delivery Networks
+	- Prevent TLS transaction stalls by preserving flags.read_pending
+	- Fix "BUG: Lost previously bumped from-Squid connection"
+	- Add %master_xaction logformat code
+	- Log "-" instead of the made-up method "NONE"
+	- Add GeneratingCONNECT step for the existing at_step ACL
+	- Report context of level-0/1 cache.log messages
+	- Re-enabled updates of stored headers on HTTP 304 responses
+	- Translations: Fix grammatical error in French error pages
+	- Smarter auth_param utf8 handling, including CP1251 support
+	- Fix rock disk entry contamination related to aborted swapouts
+	- Send HTTP/500 (Internal Server Error) when lacking peers
+	- Fix prohibitively slow search for new SMP shm pages
+	- Centralized PagePool/PageStack ID generation
+	- ... and many documentation changes
+	- ... and much code cleanup and polishing
+
+Changes to squid-4.10 (14 Jan 2020):
+
+	- Bug 5009: Build failure with older clang libc++
+	- Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
+	- Bug 5007: Docs: Fix max_filedescriptors description
+	- Bug 4735: Truncated chunked responses cached as whole
+	- ext_lm_group_acl: Improved username handling
+	- Fix FTP buffers handling
+	- Fix shared memory size calculation on 64-bit systems
+	- Fix server_cert_fingerprint on cert validator-reported errors
+	- Fix request URL generation in reverse proxy configurations
+	- ... and several documentation updates
+	- ... and several compile fixes
+
 Changes to squid-4.9 (05 Nov 2019):
 
 	- Bug 4978: eCAP crash after using MyHost().newRequest()
diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml
index 2640103ba5..e501eb4b50 100644
--- a/doc/release-notes/release-4.sgml
+++ b/doc/release-notes/release-4.sgml
@@ -1,6 +1,6 @@
 <!doctype linuxdoc system>
 <article>
-<title>Squid 4.9 release notes</title>
+<title>Squid 4.10 release notes</title>
 <author>Squid Developers</author>
 
 <abstract>
@@ -12,7 +12,7 @@ for Applied Network Research and members of the Web Caching community.
 <toc>
 
 <sect>Notice
-<p>The Squid Team are pleased to announce the release of Squid-4.9 for testing.
+<p>The Squid Team are pleased to announce the release of Squid-4.10.
 
 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v4/"> or the
  <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
diff --git a/doc/release-notes/release-5.sgml b/doc/release-notes/release-5.sgml
index f6603742c7..a1db7ed05a 100644
--- a/doc/release-notes/release-5.sgml
+++ b/doc/release-notes/release-5.sgml
@@ -1,6 +1,6 @@
 <!doctype linuxdoc system>
 <article>
-<title>Squid 5.0.0 release notes</title>
+<title>Squid 5.0.1 release notes</title>
 <author>Squid Developers</author>
 
 <abstract>
@@ -12,7 +12,7 @@ for Applied Network Research and members of the Web Caching community.
 <toc>
 
 <sect>Notice
-<p>The Squid Team are pleased to announce the release of Squid-5.0.0 for testing.
+<p>The Squid Team are pleased to announce the release of Squid-5.0.1 for testing.
 
 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v5/"> or the
  <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
@@ -40,6 +40,8 @@ The Squid-5 change history can be <url url="http://www.squid-cache.org/Versions/
 	<item>Happy Eyeballs Update
 	<item>Kerberos Group Helper
 	<item>TrivialDB Support
+	<item>RFC 8586: Loop Detection in Content Delivery Networks
+	<item>Peering support for SSL-Bump
 </itemize>
 
 Most user-facing changes are reflected in squid.conf (see below).
@@ -122,6 +124,35 @@ Most user-facing changes are reflected in squid.conf (see below).
    the helpers functionality to rebuild it as needed.
 
 
+<sect1>Loop Detection in Content Delivery Networks
+<p>Details in <url url="https://tools.ietf.org/html/rfc8586" name="RFC 8586">
+
+<p>Squid now uses the CDN-Loop header as a source for loop detection.
+
+<p>This header is only relevant to CDN installations. For which the
+   <em>surrogate_id</em> configuration directive specifies the authoritative
+   ID.
+
+<p>Squid does not add this header by default, preferring to use the
+   Via mechanism instead. Administrators may add it to requests
+   with the <em>request_header_add</em> directive or remove with
+   <em>request_header_remove</em>.
+
+
+<sect1>Peering support for SSL-Bump
+<p>Squid now supports forwarding of bumped, re-encrypted HTTPS requests through
+   a cache_peer using a standard HTTP CONNECT tunnel.
+
+<p>No support for triggering client authentication when a cache_peer
+   configuration instructs the bumping Squid to relay authentication info
+   contained in client CONNECT request. The bumping Squid still responds
+   with HTTP 200 (Connection Established) to the client CONNECT request (to
+   see TLS client handshake) <em>before</em> selecting the cache_peer.
+
+<p>HTTPS cache_peers are not yet supported primarily because Squid cannot
+   yet do TLS-in-TLS.
+
+
 <sect>Changes to squid.conf since Squid-4
 <p>
 There have been changes to Squid's configuration file since Squid-4.
@@ -147,6 +178,19 @@ This section gives a thorough account of those changes in three categories:
 	<p>New access control to restrict collapsed forwarding to a subset of
 	   eligible HTTP, ICP and HTCP requests.
 
+	<tag>happy_eyeballs_connect_gap</tag>
+	<p>New directive to specify the minimum delay between opening spare
+	   connections to any server.
+
+	<tag>happy_eyeballs_connect_limit</tag>
+	<p>New directive to specify the maximum number of spare connections
+	   to any server.
+
+	<tag>happy_eyeballs_connect_timeout</tag>
+	<p>New directive to specify the minimum delay between opening a
+	   primary to-server connection and opening a spare to-server
+	   connection for the same transaction.
+
 	<tag>mark_client_connection</tag>
 	<p>New access control to apply a Netfilter CONNMARK value to a TCP client
 	   connection.
@@ -164,6 +208,9 @@ This section gives a thorough account of those changes in three categories:
 	<p>New access control to determines whether a specific named response
 	   delay pool is used for the HTTP transaction.
 
+	<tag>shared_transient_entries_limit</tag>
+	<p>Replacement for <em>collapsed_forwarding_shared_entries_limit</em>.
+
 </descrip>
 
 <sect1>Changes to existing directives<label id="modifieddirectives">
@@ -177,9 +224,27 @@ This section gives a thorough account of those changes in three categories:
 	<p>New <em>annotate_transaction</em> type to annotate an HTTP transaction.
 	   Annotations can be used by other ACLs or helpers and persist until
 	   logging of the HTTP transaction is completed.
+	<p>New value <em>GeneratingCONNECT</em> for the <em>at_step</em> type to
+	   match when Squid is about to send a CONNECT request to a cache peer.
 	<p>Replaced <em>clientside_mark</em> with <em>client_connection_mark</em>
 	   type to match Netfilter CONNMARK of the client TCP connection.
 
+	<tag>auth_param</tag>
+	<p>New <em>reservation-timeout=</em> option to allow NTLM and Negotiate
+	   helpers to forget about clients with outstanding authentication
+	   requests.
+	<p>Added support for CP1251 charset conversion when <em>utf8</em> option
+	   is configured.
+
+	<tag>authenticate_cache_garbage_interval</tag>
+	<p>Now disabled when <em>--disable-auth</em> build parameter is used.
+
+	<tag>authenticate_ttl</tag>
+	<p>Now disabled when <em>--disable-auth</em> build parameter is used.
+
+	<tag>authenticate_ip_ttl</tag>
+	<p>Now disabled when <em>--disable-auth</em> build parameter is used.
+
 	<tag>deny_info</tag>
 	<p>New code <em>%A</em> to display Squid listening IP address the client
 	   TCP connection was connected to.
@@ -187,8 +252,14 @@ This section gives a thorough account of those changes in three categories:
 	<tag>logformat</tag>
 	<p>New <em>ssl::&lt;cert</em> macro code to display received server X.509
 	   certificate in PEM format.
+	<p>New <em>proxy_protocol::&gt;h</em> code to display received PROXY
+           protocol version 2 TLV values.
+	<p>New <em>master_xaction</em> code to display Squids internal
+	   transaction ID.
 	<p>New <em>CF</em> value for <em>%Ss</em> code to indicate the response
 	   was handled by Collapsed Forwarding.
+	<p>Codes <em>rm</em>, <em>&lt;rm</em> and <em>&gt;rm</em> display "-"
+	   instead of the made-up method NONE.
 
 </descrip>
 
@@ -198,6 +269,9 @@ This section gives a thorough account of those changes in three categories:
 	<tag>clientside_mark</tag>
 	<p>Replaced by <em>mark_client_packet</em>.
 
+	<tag>collapsed_forwarding_shared_entries_limit</tag>
+	<p>Replaced by <em>shared_transient_entries_limit</em>.
+
 	<tag>dns_v4_first</tag>
 	<p>Removed. The new "Happy Eyeballs" algorithm uses received IP
 	   addresses as soon as they are needed.