forked from squid-cache/squid
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
6478 lines (5887 loc) · 300 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes to squid-4.8 (09 Jul 2019):
- Bug 4957: Multiple XSS issues in cachemgr.cgi
- Bug 4953: to_localhost does not include ::
- Bug 4937: cachemgr.cgi: unallocated memory access
- Bug 4936: terminating c-strings beyond BASE64_DECODE_LENGTH
- Bug 4889: Ignore ECONNABORTED in accept(2)
- Bug 4842: Memory leak when http_reply_access uses external_acl
- TLS: Fix tls-min-version= being ignored
- TLS: Add the NO_TLSv1_3 option to available tls-options values
- HTTP: RFC 7230 forbids generation of userinfo subcomponent of https URL
- HTTP: Remove userinfo support from old protocols
- HTTP: Fix Digest auth parameter parsing
- HTTP: Send Connection:close with the known-last request on a connection
- HTTP: Fix handling of tiny invalid responses
- Replace uudecode with libnettle base64 decoder
- Update HttpHeader::getAuth to SBuf
- ... and some compile issues
Changes to squid-4.7 (06 May 2019):
- Bug 4942: --with-filedescriptors does not do anything
- Bug 4928: Cannot convert non-IPv4 to IPv4
- Bug 4823: assertion failed: "lowestOffset () <= target_offset"
- Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs
- Fix squidclient authentication to origin servers
- Fix stack-based buffer-overflow when parsing SNMP messages
- Add support for buffer-size= to UDP logging
- TLS: When using OpenSSL, trust intermediate CAs from trusted store
Changes to squid-4.6 (19 Feb 2019):
- Bug 4915: Detect IPv6 loopback binding errors
- Bug 4914: Do not call setsid() in --foreground mode
- Bug 4875 pt2: GCC-8 compile errors with -O3 optimization
- Bug 4856: Exit when GoIntoBackground() fork() call fails
- basic_ldap_auth: Return BH on internal errors; polished messages
- Fix BodyPipe/Sink memory leaks associated with auto-consumption
- Fix OpenSSL builds that define OPENSSL_NO_ENGINE
- Fix several cases of rock cache corruption
- Add Georgian (ka) language translation
Changes to squid-4.5 (01 Jan 2019):
- Bug 4253: ssl_bump prevents access to some web contents
- TLS: add %>handshake logformat code
- Redesign forward_max_tries to count TCP connection attempts
- Fix client_connection_mark ACL handling of clientless transactions
- Fix netdb exchange with a TLS cache_peer
- Update netdb when tunneling requests
- Use pkg-config for detecting libxml2
- ... and some documentation updates
- ... and some code compile fixes
Changes to squid-4.4 (28 Oct 2018):
- Bug 4893: Malformed %>ru URIs for CONNECT requests
- Fix %USER_CA_CERT_xx and %USER_CERT_xx crashes
- SSL: support compilation with minimal OpenSSL
- SSL: certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL
- Fix netdb not saving to disk
- Fix memory leak when parsing SNMP packet
- ... and some compile issues
Changes to squid-4.3 (01 Oct 2018):
- Bug 4885: Excessive memory usage when running out of descriptors
- Bug 4877: Add missing text about external_acl_type %DATA changes
- Bug 4875 pt1: GCC-8 compile errors with -O3 optimization
- Bug 4716: Blank lines in cachemgr.conf are not skipped
- Bug 4691: balance_on_multiple_ip config option docs
- basic_pop3_auth: fix startup errors
- langpack: Add missing dialect aliases
- Fix range_offset_limit debugging
- Fix icc build errors
- Update systemd dependencies in squid.service
Changes to squid-4.2 (04 Aug 2018):
- Regression fix: support for https_port clientca= option
- Regression Bug 4870: milliseconds logformats prepend 0s instead of spaces
- Bug 4861: HTTPMSGLOCK missing pointer safety
- Bug 4843 pt3: GCC-8 fixes and refactoring
- HTTP: Do not update stored headers on 304 responses
- Fix segmentation fault on -k parse
- Fix %>ru logging of huge URLs
- ... and several performance optimizations
- ... and some documentation updates
- ... and all fixes from 3.5.28
Changes to squid-4.1 (02 Jul 2018):
- Bug 4223: fixed retries of failed re-forwardable transactions
- Bug 4791: Build failure on MacOS
- Fix --with-netfilter-conntrack error message
- ... and many documentation updates
Changes to squid-4.0.25 (11 Jun 2018):
- Regression Bug 4855: querying private entries for HTCP/ICP
- Regression Bug 4852: deny_info %R macro not being expanded
- Regression Bug 4847: proxy_auth ACL -i/+i flags not working
- Regression Bug 4831: filter chain certificates for validity when loading
- Regression fix: Transient reader locking broken in 4.0.24
- Bug 4845: NegotiateSsl crash on aborting transaction
- Bug 4843 pt1: ext_edirectory_userip_acl refactoring for GCC-8
- Bug 4843 pt2: squidclient refactoring for GCC-8
- Bug 4829: IPC shared memory leaks when disker queue overflows
- Bug 4828: Use feature detection for IPFilter API/ABI checks
- Bug 4816: update negotiate_kerberos_auth helper protocol to v3.4
- Bug 4811: supply AccessLogEntry (ALE) for more fast ACL checks
- Bug 4707: purge tool does not obey --sysconfdir= build option
- Bug 4171: checking for log_file_daemon despite disabling logging
- Bug 4042: ext_kerberos_ldap_group: add -P principal option
- TLS: avoid "ssl_crtd" assertions on reconfiguration
- Add timestamps to (most) FATAL messages
- Add "--kid role-ID" command line option
- ... and many documentation updates
Changes to squid-4.0.24 (07 Mar 2018):
- Bug 4822: Build failure (-Wformat) where time_t is not long int
- Bug 4505: SMP caches sometimes do not purge entries
- TLS: GnuTLS implementation for listening ports and client connections
- TPROXY: Fix clientside_mark and client port logging
- Native FTP: Fix "Cannot assign requested address" with TPROXY
- SSL-Bump: Fix authentication with types other than Basic
- ... and many small compile and stability fixes
- ... and some documentation fixes
Changes to squid-4.0.23 (19 Jan 2018):
- Bug 4715: security_file_certgen: Remove -g and -n options docs
- Bug 4679: User names not sent to url_rewrite_program
- Bug 4631: security_file_certgen helper without disk cache
- Bug 3911: clang -fsanitize warnings
- Bug 2378: Duplicates in selected peer destinations
- Nettle v3.4 support
- Fix Squid FTP server dying because of an unhandled exception
- Automatically revive hopeless kids on reconfigure and after a timeout
- Fix %<Hs, %<pt, %<tt, %<bs calculation bugs for error responses
- ... and many documentation updates
- ... and some stability fixes
Changes to squid-4.0.22 (07 Dec 2017):
- Regression fix: Relay peer CONNECT error status line and headers to clients
- Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
- Bug 4718: support filling raw buffer space of shared SBufs
- Bug 4648: object revalidation for HTTPS scheme
- Bug 4616: store_client.cc:92: "mem" assertion
- Bug 2821: ignore Content-Range in non-206 responses
- HTCP: Ignore packets with invalid URI
- TLS: Validate the shortest certificate chain
- TLS: Add checks for OpenSSL 1.1.0f API changes
- TLS: Fix reporting of validation errors for downloaded intermediate certs
- TLS: Fix SSL certificate cache refresh and collision handling
- Fix backwards compatibility for Squid-3.5 external_acl_type formats
- Fix invalid mime icon URLs in cache
- Do not die silently when dying early
- Docs: update translation files
Changes to squid-4.0.21 (02 Jul 2017):
- Bug 4730: segfault while processing internal HTTP requests
- Bug 4492: Chunk extension parser is too pedantic
- Bug 1961: Redesign urlParse() API
- TLS: recognise tls:: namespace on logformat tokens
- SSL-Bump: tproxy does not spoof spliced connections
- security_file_certgen: collapse queued requests
- Add a basic apparmour profile
- Add transaction_initiator ACL for detecting various unusual transactions
- Add ssl::server_name options to control matching logic
- Support for --long-acl-options
- Do not die silently when dying via std::terminate()
- Fix option --foreground to implement expected behavior
- Translations: update .po and .pot to latest texts
- ... and some documentation updates
- ... and many code cleanup and stability fixes
- ... and all fixes from 3.5.27
Changes to squid-4.0.20 (01 Jun 2017):
- Bug 4692: SslBump breaks intercepted IPv6 connections
- Bug 4682: ignoring http_access deny when client-first bumping mode is used
- Bug 4662: build errors with LibreSSL 2.4.4
- Bug 4659: sslproxy_foreign_intermediate_certs does not work
- Bug 4321: ssl_bump terminate does not terminate at step1
- Add 'has' ACL
- Do not forward HTTP requests to dead idle peers
- Do not unconditionally revive dead peers after a DNS refresh
- Make PID file check/creation atomic to avoid associated race conditions
- Count failures and use peer-specific connect timeouts when tunneling
- SSL-Bump: Fix crashes when server-first bumping mode is used with openSSL-1.1.0
- eCAP: Fix empty header handling in Ecap::HeaderRep::hasAny()
- SSL-Bump: Second adaptation missing for CONNECTs
- ext_session_acl: cope with new logformat inputs
- ... and some documentation updates
- ... and some code stability fixes
- ... and all fixes from 3.5.26
Changes to squid-4.0.19 (02 Apr 2017):
- Bug 4674: delay_parameters for class 3 and 4 assertion failed
- Bug 4671: GCC 7 compile errors
- Bug 4663: GCC 5+ compile errors with optimization level -O3
- Bug 4657: delay IDENT until after PROXY protocol handling
- Bug 4610: cleanup of BerkleyDB related checks
- squidclient: Fix missing error handling on PUT
- digest_ldap_auth: Add -r option to clamp the realm to a fixed value
- TLS: initial GnuTLS support for encrypted server connections
- Fix appending Http::HdrType::VIA code
- Fix URI scheme case-sensitivity treatment
- Fix two read-ahead problems related to delay pools (or lack thereof)
- Detail swapfile header inconsistencies
- ... and several build fixes
- ... and many code polishing updates
- ... and all fixes from 3.5.25
Changes to squid-4.0.18 (06 Feb 2017):
- Bug 4661: compile error 'warning: _XPG4_2 redefined' with GCC on Solaris 10
- Bug 4636: assertion 'byteCount > 0 && byteCount <= inBuf.length()'
- Bug 4610 partial: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4599: support OpenSSL 1.1
- squidclient: link GnuTLS library debugs to -v level display
- Fix GCC6: unused local variable 'weInitiatedThisClosure'
- ... and some code polishing
- ... and some copyright updates
- ... and all fixes from 3.5.24
Changes to squid-4.0.17 (16 Dec 2016):
- Bug 4630: user credentials cache cleanup not re-scheduled
- Bug 4610 partial: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4599 partial: initial support for OpenSSL v1.1
- TLS: Support tunneling of bumped non-HTTP traffic
- ... and many code polishing and performance updates
- ... and some documentation updates
- ... and some fixes from 3.5.23
Changes to squid-4.0.16 (30 Oct 2016):
- Avoid segfaults when lacking the server name for certificate validator
- HTTP: initial support for Cache-Control:immutable
- Fix ssl::server_name ACL
- ... and many code polishing updates
- ... and some fixes from 3.5.23
Changes to squid-4.0.15 (09 Oct 2016):
- Regression fix crash on reconfigure with TOS/DiffServ/MARK configured
- Bug 4610: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4581: Secure ICAP segfault in checkForMissingCertificates
- Bug 4578: changes required to install squid.service
- Fix crash on shutdown while cleaning up idle ICAP connections
- Fix memory leak of Downloader-related objects
- HTTP/1.1: handle syntactically valid requests with unsupported HTTP versions
- Log TCP client port for error:transaction-end-before-headers and such
- ... and many portability and build fixes
- ... and some documentation updates
- ... and all fixes from 3.5.22
Changes to squid-4.0.14 (08 Sep 2016):
- Regression Bug 4570: crash after rev.14755
- Regression Bug 4561: Replace use of default move operators with explicit implementation
- Bug 4503: Do not access-log SslBump-faked CONNECTs with _ABORTED suffixes
- Bug 4404: Do not access-log chunked non-persistent responses with _ABORTED suffix
- Fix crashes on shutdown while cleaning up idle ICAP connections
- Fix logformat unable to configure codes with /-escape
- HTTP: MUST respond with 414 (URI Too Long) when request-target exceeds limits
- HTTP: validate Content-Length header values
- Make Squid death due to overloaded helpers optional
- Better support for unknown URL schemes
- Do not log error:transaction-end-before-headers after invalid requests
- ... and many portability and build fixes
- ... and some documentation updates
- ... and all fixes from 3.5.21
Changes to squid-4.0.13 (05 Aug 2016):
- Regression Bug 4540: revert r14720 buffer update
- Bug 4555: Minor improvements to error pages CSS
- Bug 4551: fix exceptions in new chunked decoder
- Bug 4311: support collapse for internal revalidation requests (SMP-unaware caches)
- Fix Certificate Validator buffer-overflow crashes Squid
- Fix some failed transactions not being logged
- Fix segfault via Ftp::Client::readControlReply().
- basic_db_auth: add support for unsalted SHA1 passwords
- kerberos_ldap_group: add support for SSL/TLS connection to an LDAP server
- TLS: Add missing 'tls' option for cache_peer
- TLS: Do not hang when 'connector' fails
- TLS: Add support for fetching missing certificates
- Remove XSTD_USE_LIBLTDL, which has not been needed in a long while
- ... and many code polishing updates
- ... and some documentation updates
Changes to squid-4.0.12 (01 Jul 2016):
- Regression Fix: shell issues with require_smblib definition
- Regression Bug 4532: pid_filename not working as documented
- Regression Bug 4504: Too many WARNING: Ignoring error setting CA certificate locations
- Bug 4516: security_file_certgen man page update
- Bug 4446: undefined reference to 'libecap::Name::Name'
- Bug 4376: clang cannot build Squid eCAP code
- HTTP/1.1: Update all stored headers on 304 revalidation
- TLS: Authority Key Identifier certificate extension
- Add a script to find kid-specific cache.log lines
- Cleanup cppunit detection and use
- ... and several performance improvements
- ... and some unit test updates
- ... and all fixes from 3.5.20
Changes to squid-4.0.11 (09 Jun 2016):
- Bug 4517: error: comparison between signed and unsigned integer
- Bug 4492: chunked parser needs to accept BWS after chunk size
- HTTP/1.1: allow chunking the last HTTP response on a connection
- HTTP/1.1: unfold mime header blocks
- TLS: fast SNI peek
- TLS: check for SSL_CIPHER_get_id() support required in adjustSSL()
- TLS: never enable OPENSSL_HELLO_OVERWRITE_HACK automatically
- squidclient: improve shell-escape support in -H option
- Do not allow low-level debugging to hide important/critical messages
- Replace new/delete operators using modern C++ rules
- Remove ie_refresh configuration option
- Deprecating SMB LanMan helpers
- Mark refresh-waiting transactions with REFRESH
- ... and some code cleanup and polishing
Changes to squid-4.0.10 (06 May 2016):
- Accumulate fewer unknown-size responses to avoid overwhelming disks.
- Fix shared memory corruption when storing multi-slot (>32KB) shm misses.
- ... and some documentation and code cleanup
- ... and all fixes from 3.5.18
Changes to squid-4.0.9 (20 Apr 2016):
- Bug 4405: assertion failed: comm.cc:554: "Comm::IsConnOpen(conn)"
- Add a new error page token for unquoted external ACL messages.
- Stop parsing response prefix after discovering an "HTTP/0.9" response.
- ... and some documentation updates
- ... and some code polishing
- ... and all fixes from 3.5.17
Changes to squid-4.0.8 (02 Apr 2016):
- Bug 4459: FHS compliance: move netdb.state and ssl_db to /var/cache/squid
- Bug 4458: Behaviour change with external ACL arguments
- Bug 4450: wait() related cleanup
- Bug 4438: SIGSEGV in memFreeString() destructing SBuf globals on shutdown/restart
- Bug 4312: Support disabling collapsed forwarding SMP cooperation
- Bug 3826: SMP compatibility with systemd and --foreground option
- Bug 1979: Add ACL-driven server_pconn_for_nonretriable squid.conf directive
- Bug 7 (partial): Update cached entries on 304 responses
- Add reply_header_add directive
- HTTP/1.1: Do not prohibit updating Last-Modified on 304 responses
- Fix memory leaks of lastAclData and AccessLogentry::url
- Fix clang -Winconsistent-missing-override warning
- Tests: update test suite for GnuTLS
- ... and some documentation updates
- ... and some code cleanup and polishing
- ... and all fixes from squid 3.5.16
Changes to squid-4.0.7 (23 Feb 2016):
- Regression Fix: external_acl parameters separated by %20 instead of space
- Bug 4432: assertion failed: store.cc:1919: "isEmpty()"
- Bug 4111: leave_suid() does not properly handle error codes returned by setuid
- Fix propagation of response status line parsing error details
- Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
- ... and some code SourceLayout project cleaning
- ... and all fixes from squid 3.5.15
Changes to squid-4.0.6 (16 Feb 2016):
- Regression Bug 4436: Fix DEFAULT_SSL_CRTD
- Fix "dial: Ssl::PeerConnector::sslCrtvdHandleReply threw exception: callback != NULL"
- ... and some documentation updates
- ... and all fixes from squid 3.5.14
Changes to squid-4.0.5 (09 Feb 2016):
- Regression Bug 4429: http(s)_port options= error message missing characters
- Regression Bug 4410: 4.0.4 compile error in basic_ncsa_auth
- Regression Bug 4403: helper compile errors after 4.0.4 rev.14454
- Regression Bug 4401: compile error on Solaris
- Regression Fix: TLS/SSL flags parsing
- Regression Fix: cert validadator always disabled in 4.x
- Regression Fix: Name-only note ACL stopped matching after 4.0.4 rev.14465 (note -m)
- Regression Fix: external_acl problems after 4.0.1 rev.14351
- Bug 4409 (partial): compile error when two Heimdal libraries are installed
- Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size
- SMP: Fix cleanup of a shared memory segment in an unusual configuration
- SSL-Bump: Fix step3 splicing.
- Add connections_encrypted ACL
- Make %<a and %<p details available to [eCAP] RESPMOD services
- Rename cert_valid.pl to security_fake_certverify
- Rename ssl_crtd helper to security_file_certgen
- ... and a lot of code SourceLayout project cleaning
- ... and some documentation updates
- ... and all fixes from squid 3.5.13 up to rev.13979
Changes to squid-4.0.4 (06 Jan 2016):
- Regression Bug 4393: compile fails on OS X
- Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or tunnelClientClosed
- Support use of Kerberos credentials cache instead of keytab
- Support logging of TLS Cryptography Parameters
- Support substring matching in Note ACL
- ... and some code cleanup and polishing
- ... and all fixes from squid 3.5.13
Changes to squid-4.0.3 (28 Nov 2015):
- Bug 4372: missing template files
- Bug 4371: compile errors: no such file or directory: DiskIO/*/*DiskIOModule.o
- Bug 4368: A simpler and more robust HTTP request line parser
- Fix compile erorr on clang undefined reference to '__atomic_load_8'
- ext_kerberos_ldap_group_acl: Add missing workarounds for Heimdal Kerberos
- ext_ldap_group_acl: Allow unlimited LDAP search filter
- ext_unix_group_acl: Support -r parameter to strip @REALM from usernames
- ... and much code cleanup and polishing
- ... and all fixes from squid 3.5.12
Changes to squid-4.0.2 (01 Nov 2015):
- Regression Bug 4351: compile errors when authentication modules disabled
- Regression fix: HTTP/1.1 Transfer-Encoding:chunked parsing
- Bug 4359: assertion failure 'Comm::IsConnOpen(conn)' within ConnStateData::requestTimeout
- Bug 4356: segmentation fault using proxy_auth ACL
- Bug 4352: compile errors in OS X 10.11
- Bug 4021: ext_user_regex does exact match
- Bug 3574: avoid crashes, prohibit reconfiguration during shutdown
- Support re-assigning delay pools based on HTTP reply details
- ... and all fixes from squid 3.5.11
Changes to squid-4.0.1 (14 Oct 2015):
- Bug 4329: GCC 5.2 no known conversion for argument
- Bug 4292: negotiate_wrapper: Unreleased Resources
- Bug 4269: ignore-must-revalidate broken
- Bug 4190: assertion 'hash_remove_link' from Auth::User::cacheCleanup
- Bug 3920: Splay::remove() reference counting inconsistent
- Bug 3069: CONNECT method bytes sent logging
- Bug 2741 partial: libsecurity API for GnuTLS support
- Bug 1961 partial: redesign of URL handling
- Fix crash when parsing invalid squid.conf
- Fix eCAP: Return 'unknown body size' for bodies with unknown body sizes
- Remove unused OS detection: Sun, SysV, Ultrix, BSDi
- Remove cache_peer_domain directive
- RFC 6176 compliance: Remove SSLv2 support
- HTTP/1.1: Remove refresh_pattern ignore-auth and ignore-must-revalidate
- Remove GCC 2.x and 3.x detection and support
- C++11 compiler support is now mandatory
- Enable flexible transport protocol
- Enable long (--foo) command line parameters on squid binary
- Add per-rule refresh_pattern matching statistics
- Replace sslversion=N with tls-min-version=1.N
- Replace sslproxy_* directives with tls_outgoing_options
- Replace GNU atomics and related hacks with C++11 std::atomic
- Replace external_acl_type format %macros with logformat codes
- Support Secure ICAP services
- Support rotate=N option on access_log
- Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol)
- Support lifetime timeout for persistent connections (pconn_lifetime)
- Support timeout for URL-rewrite helper lookups (url_rewrite_timeout)
- Support logging fast things (nanosecond log resolution)
- Support ICAP/eCAP adaptation for 100-continue responses
- Support configurable helper queue size, with consistent defaults
and better overflow handling.
- Support named service PID file by default (pid_filename)
- url_lfs_rewrite: Add URL-rewriter based on local file existence
- negotiate_kerberos_auth: output group= kv-pair
- helper-mux: add man(8) page
- purge: convert README to man(1) page
- basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth
- basic_sspi_auth: fix MinGW compile errors
- negotiate_sspi_auth: fix various build errors
- Crypto-NG: libnettle Base64 algorithm support
- Parser-NG: HTTP Parser structural redesign
- libltdl: copyright updated to LGPL version 2.1
- ... and several performance optimizations
- ... and many documentation changes
- ... and much code cleanup and polishing
Changes to squid-3.5.28 (15 Jul 2018):
- SQUID-2018:1: crash processing SSL-Bumped traffic containing ESI
- SQUID-2018:2: crash handling responses to internally generated requests
- SQUID-2018:3 / CVE-2018-1172: crash in ESI Response processing
- Bug 4861: HTTPMSGLOCK missing pointer safety
- Bug 4829: IPC shared memory leaks when disker queue overflows
- Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
- Bug 2821: Ignore Content-Range in non-206 responses
- HTCP: Ignore HTCP packets with invalid URI
- SSL-Bump: fix authentication with schemes other than Basic
- TPROXY: Fix clientside_mark and client port logging
- Fix "Cannot assign requested address" for to-origin TPROXY FTP data
- Fix --with-netfilter-conntrack error message
- Validate mime icon URL before allocating store entries
- ... and many documentation changes
Changes to squid-3.5.27 (20 Aug 2017):
- Regression Bug #4112: ssl_engine does not accept cryptodev
- Bug 4687: Wrong names of components in man page, section SEE ALSO
- Bug 4671: various GCC 7 compile errors
- Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions
- Bug 2833: Collapse internal revalidation requests (SMP-unaware caches)
- Bug 2833: Do not respond with HTTP/304 to unconditional requests
- Fix message packing error handling in mgr and snmp SMP Forwarders
- Fix mgr query handoff from the original recipient to Coordinator.
- ... and some documentation updates
Changes to squid-3.5.26 (01 Jun 2017):
- Bug 4711: SubjectAlternativeNames is missing in some generated certificates
- Bug 4695: squidpurge: GCC 7 build errors
- Bug 4682: ignoring http_access deny when client-first bumping mode is used
- Bug 4682: Fix ssl_bump "bump" action documentation
- Bug 4653: %st lies about tunneled traffic volumes
- Bug 4589: ssl_crtd: returning zero on failure
- Bug 3772: message from FTP server gets mangled
- Bug 3102: FTP directory listing drops fist character of file names
- Add OpenSSL library details to -v output
- ... and some documentation updates
Changes to squid-3.5.25 (02 Apr 2017):
- Bug 4688: various typo error(s) in man page(s)
- Bug 4508: Host forgery stalls intercepted being-spliced connections
- Native FTP relay: NAT and TPROXY interception fixes
- Fix missing CRLF on FTP timeout ABORT commands
- TLS: Bump client on errors encountered before ssl_bump evaluation
- ext_kerberos_ldap_group_acl: fix unused value warnings
- Fix crash when configuring with invalid delay_parameters restore value.
- Check that -k argument is provided before trying to use it.
- ... and some build fixes
Changes to squid-3.5.24 (28 Jan 2017):
- Regression Bug 3940: Make 'cache deny' do what is documented
- TLS: Fix SSLv2 records bumping despite a matching step2 peek rule
- TLS: Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation
- Fix "Source and destination overlap in memcpy" Valgrind errors
- Reduce crashes due to unexpected ClientHttpRequest termination
- Update External ACL helpers error handling and caching
- Detect HTTP header ACL issues
- ... and some documentation fixes
Changes to squid-3.5.23 (16 Dec 2016):
- Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
- Bug 4620: NetBSD build error with --enable-ipf-transparent
- Bug 4567: Strange IPv6 shown in access.log
- Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconfigure and restart
- Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion.
- Bug 4169: HIT marked as MISS when If-None-Match does not match
- Bug 4007: Hang on DNS query with dead-end CNAME
- Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
- Bug 3940 partial: hostHeaderVerify failures MISS when they should be HIT
- Bug 3533: Cache still valid after HTTP/1.1 303 See Other
- Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
- Bug 3290: authenticate_ttl not working for digest authentication
- Bug 2258: bypassing cache but not destroying cache entry
- HTTP/1.1: make Vary:* objects cacheable
- HTTP/1.1: Add registered codes entry for new 103 (Early Hints) status code
- Support IPv6 NAT with PF for NetBSD and FreeBSD
- TLS: Make key= before cert= an error instead of quietly hiding the issue
- ... and some debug updates
- ... and some build fixes
- ... and several documentation updates
Changes to squid-3.5.22 (09 Oct 2016):
- Bug 4594: build failure with clang 3.9
- Bug 4471: revalidation does not work when expired cached object lacks Last-Modified
- Bug 4302 pt2: IPv6 support for IPFilter v5 transparent interception
- Bug 4228: ./configure bug/typo in r14394
- Bug 3819: "fd >= 0" assertion in file_write() during reconfiguration
- Bug 2833: Collapse internal revalidation requests (SMP-unaware caches)
- Fix logged request size (%http::>st) and other size-related %codes
- Fix some memory leaks from putenv()
- Fix memory leaks from url_rewrite_extras and store_id_extras on reconfigure/shutdown
- Fix segfault crash when debugging section 4 at level 9
- HTTP: MUST ignore a [revalidation] response with an older Date header
Changes to squid-3.5.21 (08 Sep 2016):
- Bug 4563: duplicate code in httpMakeVaryMark
- Bug 4542: authentication credentials IP TTL updated incorrectly
- Bug 4534: assertion failure in xcalloc when using many cache_dir
- Bug 4428: mal-formed Cache-Control:stale-if-error header
- Bug 3025: Proxy-Authenticate problem using ICAP server
- Fix segfault via Ftp::Client::readControlReply()
- Fix SSL-Bump failure results in SEGFAULT
- HTTP/1.1: MUST always revalidate Cache-Control:no-cache responses
- HTTP/1.1: do not allow Proxy-Connection to override Connection header
- SSL: CN wildcard must only match a single domain component [fragment]
Changes to squid-3.5.20 (01 Jul 2016):
- Bug 4523: smblib compile fails on NetBSD
- Bug 4485: off-by-one out-of-bounds Parser::Tokenizer::int64() read errors
- Bug 3579: assertion failed 'MemPools[type]' from dst_as ACL
- Fix icons loading speed
- Fix OpenSSL detection on FreeBSD
- Fix assertion failed: Write.cc:38: 'fd_table[conn->fd].flags.open'
- Fix SEGFAULT parsing malformed adaptation service configuration
- Fix ConnStateData::In::maybeMakeSpaceAvailable() logic
- Do not override user defined -std option
- Do not allow low-level debugging to hide important/critical messages
- Do not make bogus recvmsg(2) calls when closing UDS sockets
- Support unified EUI format code in external_acl_type
Changes to squid-3.5.19 (09 May 2016):
- Regression Bug 4515: interception proxy hangs
Changes to squid-3.5.18 (06 May 2016):
- Bug 4510: stale comment about 32KB limit on shared memory cache entries
- Bug 4509: EUI compile error on NetBSD
- Bug 4501: HTTP/1.1: normalize Host header
- Bug 4498: URL-unescape the login-info after extraction from URI
- Bug 4455: SegFault from ESIInclude::Start
- Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
- Fix TLS/SSL server handshake alert handling
Changes to squid-3.5.17 (20 Apr 2016):
- Regression Bug 4480: logformat [.width_max]
- Regression Bug 4481: varyEvaluateMatch: Oops. Not a Vary match on second attempt
- Bug 4495: Unknown SSL option SSL_OP_NO_TICKET
- Bug 4493: theObject->sharedMemorySize() == theSegment.size() exception
- Bug 4483: ./configure garbles -Og option in CFLAGS
- Bug 4482: Solaris GCC 5.2 warning in src/ip/Intercept.cc
- Bug 4468: NotNode (!acl) naming: Terminate the name before strncat(name).
- Bug 4465: Header forgery detection leads to crash
- Bug 2460 partial: workaround deferred reads on shutdown and restart
- cachemgr.cgi: use dynamic MemBuf for internal content generation
- ESI: Fix several element construction issues
- TLS: Fix Handshake Error: ccs received early
- TLS: Add chained and signing cert to peek-then-bumped connections
- Fix some startup/shutdown crashes
Changes to squid-3.5.16 (02 Apr 2016):
- Bug 4476: Removed duplicated #include lines
- Bug 4452: squid -z segfaults with ufs
- Bug 4447:FwdState.cc:447 "serverConnection() == conn" assertion
- Bug 4423: adding stdio: prefix to cache_log directive produces FATAL error
- Bug 4409: compile error when two Heimdal libraries are installed
- Bug 2831: Cache-control: max-age not sent on TCP_IMS_HIT/304
- pinger: Fix buffer overflow in Icmp6::Recv
- pinger: Fix select(2) to actually use max_fd
- pinger: drop capabilities on Linux
- Fix memory leak of HttpRequest objects
- Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
- Fix assertion failed: Write.cc:41: "!ccb->active()"
- Fix crash on shutdown while cleaning up idle ICAP connections
- RFC 7725: Add registry entry for 451 status text
- ... and some build issues
Changes to squid-3.5.15 (23 Feb 2016):
- Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
- Fix multiple assertion on String overflows
- Fix unit test errors on MacOS
- Better handling of huge response headers. Fewer incorrect "Bug #3279" messages.
- Log noise reduction for eCAP
Changes to squid-3.5.14 (16 Feb 2016):
- Bug 4437: Fix Segfault on Certain SSL Handshake Errors
- Bug 4431: C code is not compiled with CFLAGS
- Bug 4418: FlexibleArray compile error with GCC 6
- Bug 4378: assertion failed: DestinationIp.cc:60:
'checklist->conn() && checklist->conn()->clientConnection != NULL'
- Fix invalid FTP connection handling on blocked content
- Fix handling of shared memory left over by Squid crashes or bugs
- Fix mgr:config report 'qos_flows mark' output
- Fix compile error in CPU affinity
- Fix %un logging external ACL username
- Avoid more certificate validation memory leaks
- ... and some documentation updates
Changes to squid-3.5.13 (06 Jan 2016):
- Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath
- Bug 4387: Kerberos build errors on Solaris
- TLS: Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
- TLS: Complete certificate chains using external intermediate certificates
- Avoid memory leaks when an X.509 certificate validator is used with SslBump
- Fix connection retry and fallback after failed server TLS connections
- Fix GnuTLS detection via pkg-config
- Fix startup crash with a misconfigured (too-small) shared memory cache
- ... and some documentation updates
Changes to squid-3.5.12 (28 Nov 2015):
- Bug 4374: refresh_pattern config parser (%)
- Bug 4373: assertion 'calloutContext->redirect_state == REDIRECT_NONE'
- Bug 4228: links with krb5 libs despite --without options
- Fix SSL_get_certificate() problem detection
- Fix TLS handshake problem during Renegotiation
- Fix cache_peer forceddomain= in CONNECT
- Fix status code-based HTTP reason phrase for eCAP-generated messages
- Fix build errors in cpuafinity.cc
- ... and several documentation updates
Changes to squid-3.5.11 (01 Nov 2015):
- Bug 3574: crashes on reconfigure and startup
- Bug 4347: compile errors with LibreSSL 2.3
- Bug 4281: copy-paste typos in src/tools.cc
- Bug 4279: No response from proxy for FTP-download of non-existing file
- Bug 4188: Bumping intercepted SSL connections does not work on Solaris
- Fix incorrect authentication headers on cache digest requests
- Fix connection stats, including %<lp, missing for persistent connections
- Fix invalid memory access issues in SBuf
- Avoid errors when parsing manager ACL in old squid.conf
Changes to squid-3.5.10 (01 Oct 2015):
- Regression Fix cache_peer login=PASS(THRU) after CVE-2015-5400
- Regression Bug 4326: base64 binary encoder rejects data beginning with nil byte
- Bug 4323: Netfilter broken cross-includes with Linux 4.2
- Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules
- Bug 4208: more than one port in wccp2_service_info line causes error
- Bug 4303: PeerConnector.cc:743 "!callback" assertion.
- Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size of SSL hello ciphers
- Relicense ntlm_fake_auth.pl to GPLv2+
- Relicense smb_lm auth helper to GPLv2+
- Relicense SSPI helper to GPLv2+
- ... and several minor performance optimizations
Changes to squid-3.5.9 (17 Sep 2015):
- Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
- Bug 4309: incorrect extensions detection in SSL Hello messages
- Bug 4309: crash during Skype login
- Bug 4284: missing sanity checks for malloc
- Regression Fix: CONNECT request debugging 11,2 traces
- Regression Fix: Quieten UFS cache maintenance skipped warnings
- TLS: Support SNI on generated CONNECT after peek
- ... and some documentation updates
Changes to squid-3.5.8 (02 Sep 2015):
- Regression Bug 4306: build portability fix in Kerberos helpers
- Bug 4302: IPFilter v5 transparent interception
- Bug 4301: compile errors with IPFilter interception
- Bug 4285 partial: %us is not supported in access.log
- Bug 4278: Docs: typo in the refresh_pattern freshness algorithm
- Bug 4242: compile errors with eCAP using clang-3.6
- Bug 3696: crash when client delay pools are activated
- Bug 3553: cache_swap_high ignored and maxCapacity used instead
- Regression Fix: FtpServer.cc:1024: "reply != NULL" assertion
- Fix ignore of impossible SSL bumping actions, as intended and documented
- Fix memory leak in Surrogate-Capability header detection
- Fix truncated body length when RESPMOD service aborts
- Reject non-chunked HTTP messages with conflicting Content-Length values
- Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
- ... and several portability and compile fixes
- ... and several documentation updates
Changes to squid-3.5.7 (01 Aug 2015):
- Bug 4293: wrong SNI sent to server after URL-rewrite
- Bug 4251: incorrect instance name for memory segments in /dev/shm
- Bug 4227: invalid key in AuthUserHashPointer causing assertation failure
- Bug 3345: support %un (any available user name) format code for external ACLs.
- basic_smb_auth: Fix several old issues identified by Debian users
- Support ssl-bump splicing to origin cache_peer
- Fix SSL errors relayed using invalid certificates
- Fix crash in TcpAccepter with profiler enabled
- Fix some cases of ssl_crtd SSL certificate DB corruption
- Fix performance regression in SBuf::chop operations
- Improve handling of client connections on shutdown
- Handle exceptions during squid.conf parse
- Make pod2man an optional dependency
- ... and polishing for several cache.log notification messages
- ... and all fixes from squid 3.4.14
Changes to squid-3.5.6 (03 Jul 2015):
- Bug 4274: ssl_crtd.8 not being installed
- Bug 4193: memory leak on FTP listings
- Bug 4183: segfault when freeing https_port clientca on reconfigure or exit
- Bug 3875: bad mimeLoadIconFile error handling
- Bug 3483: assertion failed store.cc:1866: 'isEmpty()'
- Bug 3329: pinned server connection is not closed properly
- TLS: Disable client-initiated renegotiation
- ext_edirectory_userip_acl: fix uninitialized variable
- Support custom OIDs in *_cert ACLs
- Fix CONNECT failover to IPv4 after trying broken IPv6 servers
- Use relative-URL in errorpage.css for SN.png
- Do not blindly forward cache peer CONNECT responses
- Fix assertion String.cc:221: "str"
- Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone
- Translations: add Spanish US dialect alias
Changes to squid-3.5.5 (28 May 2015):
- Regression Bug 4132: short_icon_urls with global_internal_static on
- Bug 4238: assertion Read.cc:205: "params.data == data"
- Bug 4236: SSL negotiation error of 'success'
- Bug 3930: assertion 'connIsUsable(http->getConn())'
- Fix assertion MemBuf.cc:380: "new_cap > (size_t) capacity" in SSL I/O buffer
- Fix assertion errorpage.cc:600: "entry->isEmpty()"
- Fix comm_connect_addr on failures returns Comm:OK
- Fix missing external ACL helper notes
- Fix "Not enough space to hold server hello message" error message
- Fix segmentation fault inside Adaptation::Icap::Xaction::swanSong
- Prevent unused ssl_crtd helpers being run
- ... and some code cleanup and portability updates
- ... and several documentation updates
Changes to squid-3.5.4 (01 May 2015):
- Bug 4234: comm_connect_addr uses errno incorrectly
- Bug 4231: fd_open() not correctly handling UDS socket descriptions
- Bug 4226: digest_edirectory_auth: found but cannot be built
- Bug 4198: assertion failed: client_side.h:364: "sslServerBump == srvBump"
- Bug 3775: Disable HTTP/1.1 pipeline feature for pinned connections
- Fix require-proxy-header preventing HTTPS proxying and ssl-bump
- Fix Negotiate/Kerberos authentication request size exceeds output buffer size
- Fix SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates
- Add server_name ACL matching server name(s) obtained from various sources
- Add Kerberos support for MAC OS X 10.x
- Support for resuming TLS sessions
- ... and some portability and compile fixes
- ... and several documentation updates
- ... and all fixes from squid 3.4.13
Changes to squid-3.5.3 (28 Mar 2015):
- Regression Bug 4213: negotiate_kerberos_auth: freeing non-dynamic memory
- Regression Bug 4206: Incorrect connection close on expect:100-continue
- Bug 4204: ./configure does not abort when required helpers cannot be built
- Bug 3805: support shared memory on MacOS X in Mem::IPC::Segment
- Bug 2907: high CPU usage on CONNECT when using delay pools
- basic_getpwnam_auth: fail authentication on crypt() failures
- basic_nis_auth: fail authentication on crypt() failures
- ext_kerberos_ldap_group_acl: Heimdal support improvements
- ext_wbinfo_group_acl: Perl 5.20 support
- ... and several compile issues
Changes to squid-3.5.2 (18 Feb 2015):
- Regression Bug 4176: Digest auth too many helper lookups
- Regression Bug 4180: not-fully-initialized data member in ACLUserData
- Bug 4172: Solaris broken krb5-config
- Bug 4073: Cygwin compile errors
- Bug 3919: remove several never-true / never-false comparisons
- HTTPS: Add missing root CAs when validating chains that passed internal checks
- Fix some cbdataFree related memory leaks
- Quieten CBDATA 'leak' messages
- Set SNI information in transparent bumping mode
- negotiate_kerberos_auth: fix krb5.conf backward compatibility
- Fix memory leaks in cachemgr.cgi URL parser
- Fix sslproxy_options in peek-and-splice mode
- ... and fix several portability and build issues
- ... and some documentation updates
- ... and all fixes from squid 3.4.11
Changes to squid-3.5.1 (13 Jan 2015):
- Fix handling of invalid SSL server certificates when splicing connections
- basic_smb_lm_auth: Simplified MSNT basic auth helper
- squidclient: Fix -A and -P options
- ... and several portability fixes
- ... and all fixes from squid 3.4.11
- ... and a lot of documentation updates
Changes to squid-3.5.0.4 (21 Dec 2014):
- Bug 3826: pt 2: Provide a systemd .service file for Squid
- Support http_access denials of SslBump "peeked" connections.
- Fix DONT_VERIFY_DOMAIN ssl flag
- Fix peek-and-splice mode: certificate validation for domain mismatched errors
- negotiate_kerberos_auth: MEMORY keytab and replay cache support
- ... and some documentation updates
- ... and a large amount of code polishing (non-logic changes)
Changes to squid-3.5.0.3 (09 Dec 2014):
- Bug 4146: workaround SSL Bump crash on Linux
- Bug 4135: Support \-escaped characters in regex patterns
- Bug 4131: SIGSEGV at store.cc:962 content_length > store_maxobjsize
- Fix delay_parameters parsing
- HTTP/2: handle 'PRI' method found in HTTP/1.x traffic
- ... and all changes from squid 3.4.10
- ... and a lot of documentation updates
Changes to squid-3.5.0.2 (31 Oct 2014):
- Fix FTP socket opening during reconfigure
- ... and all changes from 3.4.9
- ... and some build errors in rarely used code
- ... and several documentation updates
Changes to squid-3.5.0.1 (17 Oct 2014):
- Port from 2.7: redirector and logging urlgroup feature
- Bug 4093: source-maintenance.sh bad perl -i option
- Bug 3608: per-service name for workers UDS sockets
- Bug 2554: 32-bit wrap in AUFS counters
- Bug 1961 pt1: URL handling redesign
- Bug 1202 pt1: documentation for refresh_pattern algorithms
- Update Squid boilerplate copyright/license
- Update the http(s)_port directives protocol= parameter
- Update forward_max_tries to permit 25 server paths
- Update Kerberos library detection and build options
- Support ACLs on ftp_epsv directive
- Support >32KB objects in cache_dir rock storage
- Support client connection annotation by helpers via clt_conn_tag=TAG
- Support native FTP Relay
- Support libgnugss Kerberos library
- Support libecap v1.0
- Support SSL Peek and Splice feature
- Support receiving PROXY protocol version 1 and 2
- Replace --enable-ssl build option with --with-openssl
- Enable -n service name command line option for all Squid builds
- Enable ICAP client by default
- Fix configuration file parsing bugs, related to quoted strings
- Fix Windows MinGW build errors
- Fix multiple TCP outgoing TOS/DiffServ bugs
- Fix Cygwin /etc/resolv.conf parsing
- Fix crash when sending %ssl::cert_subject to external ACL w/o certificate
- Fix crash reading malformed config files
- Send selected SSL version and cipher to the certificate validation helper
- Validate server certificates without bumping
- Add zero-copy string buffer support
- Add automated squid.conf parser testing with squid -k parse
- Add adaptation_service ACL
- Add logformat code %tS to log transaction start time
- Add logformat code %>rd to log client URL domain name
- Add key_extras to proxy authentication
- Add url_rewrite_extras and store_id_extras directives
- Add send_hit and store_miss directives
- Add collapsed_forwarding directive
- Add sslproxy_cert_sign_hash directive
- Add SMP SSL session cache
- Add cache_peer standby connections
- Add helper ext_delayer_acl
- Add TCP_TUNNEL log code for CONNECT tunnels which are not SSL-bumped
- Add BUILDCXX and BUILDCXXFLAGS configure options for cross-compile
- Remove COSS storage in favour of Rock storage
- Remove dnsserver and external DNS helper API in favour of mDNS
- Remove broken mallinfo() accounting and memory tracing
- Remove hierarchy_stoplist in favour of always_direct
- Deprecate tag ACL type in favour of note ACL type
- Deprecate urlgroup feature in favour of note ACL type
- HTTP/1.1: method names are case-sensitive
- HTTP/1.1: register new headers from RFC 723x
- squidclient: polish and update help display
- squidclient: support TLS with GnuTLS 3.1.5+
- squidclient: support verbosity levels
- squidclient: --ping mode module support
- url_fake_rewrite: support concurrency
- storeid_file_rewrite: support concurrency
- digest_file_auth: support concurrency
- digest_edirectory_auth: support concurrency
- digest_ldap_auth: support concurrency
- ... and many error page translation updates
- ... and much code cleanup and polishing
Changes to squid-3.4.14 (01 Aug 2015):
- Do not blindly forward cache peer CONNECT responses (CVE-2015-5400)
Changes to squid-3.4.13 (01 May 2015):
- Bug 4212: ssl_crtd crashes with corrupt database
- ... and some documentation updates
- ... and all fixes from squid 3.3.14
Changes to squid-3.4.12 (18 Feb 2015):
- Bug 4066: Digest auth nonce indefinite rollover
- Bug 3997: Excessive NTLM or Negotiate auth helper annotations
- Fix several crashes when debugging enabled
- Fix silent SSL/TLS failure on split-stack operating systems
- HTTP/1.1: Stop emitting (Proxy-)Authentication-Info for Negotiate
- HTTPS: Add TLS/SSL option NO_TICKET to http[s]_port
- Remove dst ACL dependency on HTTP request message existence
- Set cap_net_admin when Squid sets TOS/Diffserv packet values
- ... and some documentation updates
Changes to squid-3.4.11 (13 Jan 2015):
- Bug 4164: SEGFAULT when %W formating code used in errorpages
- Bug 4057: Avoid on-exit crashes when adaptation is enabled.
- Bug 3760: squidclient ignores --disable-ipv6
- Bug 3754: configure doesnt detect IPFilter 5.1.2 system headers